LNAI 2796 



I Marta Cialdea Mayer 
Fiora Pirri (Eds.) 

Automated Reasoning 
with Analytic Tableaux 
and Related Methods 



International Conference, TABLEAUX 2003 
Rome, Italy, September 2003 
Proceedings 




Springer 




Lecture Notes in Artificial Intelligence 2796 

Edited by J. G. Carbonell and J. Siekmann 
Subseries of Lecture Notes in Computer Science 




Marta Cialdea Mayer Flora Pirri (Eds.) 



Automated Reasoning 
with Analytic Tableaux 
and Related Methods 



International Conference, TABLEAUX 2003 
Rome, Italy, September 9-12, 2003 
Proceedings 



Series Editors 



Jaime G. Carbonell, Carnegie Mellon University, Pittsburgh, PA, USA 
Jorg Siekmann, University of Saarland, Saarbriicken, Germany 

Volume Editors 
Marta Cialdea Mayer 

Universita di Roma Tre, Dipartimento di Informatica e Automazione 
via della Vasca Navale 79, 00146 Rome, Italy 
E-mail: cialdea@dia.uniroma3.it 

Fiora Pirri 

Universita di Roma "La Sapienza", Dipartimento di Informatica e Sistemistica 
via Salaiia 113, 00198 Rome, Italy 
E-mail: pirri@dis.uniromal.it 



Cataloging-in-Publication Data applied for 

A catalog record for this book is available from the Librar y of Congress 

Bibliographic information published by Die Deutsche Bibliothek 

Die Deutsche Bibliothek lists this publication in the Deutsche Nationalbibliographie; 

detailed bibliographic data is available in the Internet at <http://dnd.ddb.de>. 



CR Subject Classification (1998): 1.2.3, F.4.1, 1.2, D.1.6, D.2.4 
ISSN 0302-9743 

ISBN 3-540-40787-1 Springer- Verlag Berlin Heidelberg New York 



This work is subject to copyright. Ail rights are reserved, whether the whole or part of the material is 
concerned, specificaiiy the rights of transiation, reprinting, re-use of iliustrations, recitation, broadcasting, 
reproduction on mlcrofiims or in any other way, and storage in data banks. Dupiication of this pubiication 
or parts thereof is permitted oniy under the provisions of the German Copyright I.aw of September 9, i965, 
in its current version, and permission for use must always be obtained from Springer- Verlag. Violations are 
iiable for prosecution under the German Copyright Law. 

Springer- Verlag Berlin Heidelberg New York, 
a member of BertelsmannSpringer Seience+Buslness Media GmbH 

http;//www.springer.de 

© Springer-Veriag Berlin Heidelberg 2003 
Printed in Germany 

Typesetting; Camera-ready by author, data conversion by Da-TeX Gerd Blumenstein 
Printed on acid-free paper SPIN; 10931899 06/3142 5432 1 0 




Foreword 



This volume contains the main papers presented at the International Confer- 
ence on Analytic Tableaux and Related Methods (TABLEAUX 2003) held on 
September 9-12, 2003 in Rome, Italy. This conference was the continuation of 
international meetings on the same topic held in Lautenbach near Karlsruhe 
(1992), Marseille (1993), Abingdon near Oxford (1994), St. Goar near Koblenz 
(1995), Terrasini near Palermo (1996), Pont-a-Mousson near Nancy (1997), Ois- 
terwijk near Tilburg (1998), Saratoga Springs near Albany NY (1999), St An- 
drews (2000), and Copenhagen (2002). In 2001 TABLEAUX was part of IJCAR 
2001 in Siena. 

Tableaux and related methods, such as Gentzen calculi, are a convenient 
and effective formalism for automating deduction not only in classical logic, but 
also in various non-standard logics. Examples taken from the papers collected in 
this volume alone include modal, temporal, intuitionistic, non-monotonic, condi- 
tional, paraconsistent, many-valued, intermediate, and description logics. Areas 
of application include verification of software and computer systems, deduc- 
tive databases, knowledge representation and its required inference engines, and 
system diagnosis. The conference brought together researchers interested in all 
aspects - theoretical foundations, implementation techniques, systems develop- 
ment and applications - of the mechanization of reasoning with tableaux and 
related methods. Applications and implementations played a quite relevant role, 
as witnessed by the numerous system descriptions presented at the conference. 

TABLEAUX 2003 in Rome was co-located with the International Conference 
on Theorem Proving in Higher Order Logics (TPHOLs 2003) and the 11th Sym- 
posium on the Integration of Symbolic Computation and Mechanized Reasoning 
(Calculemus 2003). The three events run in parallel provided the opportunity 
for contacts with a broader community, corroborated by the joint panel discus- 
sion on “Open Challenges for Computerized Mathematics,” focusing on both 
deduction and calculus, and the talk by Thierry Coquand, jointly invited by 
Calculemus 2003 and TABLEAUX 2003. 

Acknowledgements. We are grateful to all the people who contributed to the 
success of the conference TABLEAUX 2003. We thank all the members of the 
program committee and the other referees for their rigorous work in paper re- 
viewing, the authors and the invited speakers for their contributions, and the 
tutorial organizers. We also give thanks to our colleague Carla Limongelli, for 
her invaluable help in many practical matters; Andrea Gecchetti, for installing 
and helping to maintain the software for our web-based reviewing procedure; and 
Consulta Umbria, for their professional support for local arrangements, particu- 
larly hard in a big city like Rome. A special thanks, finally, goes to our sponsors 
and the Faculty of Engineering of Universita “La Sapienza,” in whose seat the 
conference took place. 
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Non Commutative Logic: A Survey 
(Abstract) 



V. Michele Abrusci 

Dipartimento di Filosofia 
Universita degli Studi di Roma Tre, Italy 
abrusci@uniroma3 . it 

Noncommutative Logic (NL) has been introduced by Abrusci and Ruet (Non- 
Commutative Logic I, Annals of Mathematical Logic, 2001). NL is a refinement 
of Linear Logic (LL) and a conservative extension of Lambek Calculus (LC). 
Therefore, NL is a constructive logic (i.e. proofs are programs). 

Noncommutative logic allows to deal with commutative and non-commuta- 
tive conjunctions and disjunctions. 

In Noncommutative Logic sequents are order varieties on finite sets of occur- 
rences of formulas. 

The talk surveys the main results obtained in Noncommutative logic in 2001- 
2003, by several authors: 

1. proof-nets, 

2. sequent calculus, and sequentialization theorem, 

3. proof search, 

4. phase semantics, and completeness theorem, 

5. reduction of proof-nets, and semantics of proofs, 

6. modules. 
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Dynamical Method in Algebra: A Survey 

(Abstract) 



Thierry Coquand 

Computing Science Department 
Goteborg University, Sweden 
coquandScs . chalmers . se 

The system D5, of J. Della Dora, C. Dicrescenzo, and D. Duval, allows compu- 
tations in the algebraic closure of a field, though it is known that such a closure 
may fail to exist constructively. This mystery has been recently analysed in the 
work of Coste-Lombardi-Roy. A survey of this work and its connections with the 
system D5 is presented in this talk. In particular I present in detail the notion 
of “geometric logic” which allows a quite suggestive notion of proofs which may 
be of independent interest. 
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Automated Theorem Proving in Generation, 
Verification, and Certification 
of Safety Critical Code 
(Abstract) 



Johann Schumann 

RIACS / NASA Ames 
Moffett Field, CA 94035 
schumaimSemail . arc .nasa.gov 

With increased complexity of missions, the need for high quality, mission- and 
safety-critical software has increased dramatically over the past few years. Sever- 
al incidents (e.g., Mars Polar Lander) have shown that software errors can cause 
total loss of a mission. Together with tight budgets and schedules, software de- 
velopment and certification has become a serious bottleneck. 

In this talk, I report on work done in the Automated Software Engineering 
group at NASA Ames. We are developing automatic program synthesis sys- 
tems for state estimation and navigation, AutoFilter, and data analysis (Au- 
toBayes). These tools automatically generate documented C/C-l— I- code from 
compact, high-level specifications. 

For safety-critical applications, the generated code must be certified, since the 
alternative of verifying the code generator is not feasible. We support the certifi- 
cation process by combining code certification with automatic program synthesis. 
Code certification is a lightweight approach for formally demonstrating impor- 
tant aspects of software quality. Its basic idea is to require the code producer 
to provide formal proofs that the code satisfies certain safety properties. These 
proofs serve as certificates that can be checked independently. Full automation 
can be accomplished by having AutoBayes/Filter synthesize all required de- 
tailed annotations (e.g., loop invariants) together with the code. A flexible VCG 
generates proof obligations for the individual safety policies; the proof tasks are 
then processed by e-SETHEO. 

Whenever a tool is used during certification, the tool must be trusted to 
produce reliable results. In this talk, I discuss approaches on how to increase 
trust, like use of small trusted components, traceability between code and proofs, 
and automatic proof checking, as well as a number of important theoretical (like 
“is the domain theory consistent?”) and practical (e.g., to get the proof out of 
the prover) issues. 

In this talk, I also summarize an application of c-Setheo to automatically 
prove safety and effectiveness properties of a flight control system. 
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Tableaux with Four Signs 
as a Unified Framework 



Arnon Avron 

School of Computer Science 
Tel- Aviv University 
Ramat Aviv 69978, Israel 
aaSmath .tau.ac.il 



Abstract. We show that the use of tableaux with four types of signed 
formulas (the signs intuitively corresponding to positive/negative infor- 
mation concerning truth/falsity) provides a framework in which a diver- 
sity of logics can be handled in a uniform way. The logics for which we 
provide sound and complete tableau systems of this type are classical 
logic, the most important three-valued logics, the four-valued logic of 
logical bilattices (an extension of Belnap’s four- valued logic). Nelson’s 
logics for constructive negation, and da Costa’s paraconsistent logic Cui 
(together with some of its extensions). For the latter we provide new, 
simple semantics for which our tableau systems are sound and complete. 



1 Introduction 

There are two main variants of tableau systems for classical logic. One employs 
two sorts of signed formulas: T(p and F(p (intuitively meaning “(p is true” and “p 
is false”, respectively). The other employs ordinary formulas, replacing Tp sim- 
ply by p and using ~^p as a substitute for Fp (where ^ is the negation connective 
of the language). This alternative for the use of signs works well for classical logic, 
but a combination of the two methods is frequently needed for handling weaker 
logics, since usually the refutation of Fp is not equivalent to the validity of p. 
Our goal here is to present what we believe to be a better approach, one which 
allows for a unified treatment of negation (and other standard connectives!) in 
a diversity of logics. The idea is to use four sorts of signed formulas: 

and F~p. The intuitive meaning of these signs can best be explained in 
terms of positive and negative information (see e.g. [38]). T^p intuitively means 
that there is a positive information for the truth of p, 'F~p means that there is 
a negative information for the truth of p^ F^p means that there is a positive 
information for the falsity of p, F~p means that there is a negative information 
for the falsity of p} In the rest of this paper we demonstrate the usefulness 
of the four-signs framework by providing within it sound and complete tableau 
systems for several well known logics. In the next section we consider logics in 

^ A similar idea has motivated the introduction and use of bilattices. See [27, 28, 23, 
22, 24, 25]. 
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which negation is added to positive classical logic. This includes classical logic 
itself, the most important three- valued logics, and the four- valued logic of logical 
bilattices (which is an extension of Belnap’s famous four- valued logic). In the last 
section we treat logics in which (true) negation is conservatively added to pos- 
itive intuitionistic logic. The systems we consider there are Nelson’s two logics 
for constructive negation (N~ and N), and da Costa’s paraconsistent logic 
(together with some of its extensions). For the latter we provide new, simple 
semantics for which our tableau system(s) are sound and complete. 

One point should be noted before we proceed. Tableaux with more than two 
signs have already been used in the framework of many-valued logics (see the 
survey papers [29, 13] for the idea and for an extensive list of references). The 
signs which are employed there correspond however to the truth-values of the 
logic in question (so tableau systems with exactly n signs are used for any n- 
valued logic). Here, in contrast, the four signs do not correspond to truth- values 
and we use them even for logics which do not have finite characteristic matrix. 
On the contrary, our goal is to provide a general framework which (as far as 
possible) is not essentially connected to any specific type of semantics. 

2 Many- Valued Extensions of Positive Classical Logic 

2.1 Four- Valued Logics 

In [12, 11] Belnap suggested the use of logics based on the four truth- values 
t, /, T, and T, where t and / are the classical values, T (“both true and false”) 
represents the truth-value of formulas about which there is inconsistent data, 
while T ( “neither true nor false” ) is the truth- value of formulas on which no data 
is available. Belnap’s structure is nowadays known also as the basic (distributive) 
bilattice, and its logic — as the basic logic of (distributive) bilattices (see [27, 28, 
23, 22, 24, 25, 1, 2]). The following is an extension (from [1]) of Belnap’s logic 
with an appropriate implication connective: 

Definition 1. The matrix M 4 = (M 4 , D 4 , 04 ) .■ ^ 



2. a\J b = sup<^{a,b), a Ab = inf<^{a,b), where the partial order <t is 
defined by: / <t T <t t and f <t -L <t t. 



As usual, a function v from the set of formulas of {->, V, A, d} into M 4 is 
called a valuation in M 4 if it respects the operations in O 4 . A valuation v is an 
A 44 -model of a formula T of J- if v{ip) € D 4 . v is an Al 4 -model of a set T of 

The names of the various matrices discussed in this section are taken from [9] . 
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formulas if it is an A 1 4-model of each element of T. A formula ^ follows in Ad 4 
from T (T \~Mi ‘P) if every Ad4-model of T is also a Ad4-model of 

The concept of an Ad 4-model can be extended to signed formulas as follows: 

— u is an Ad4-model of if v{^) G {t, T} 

— u is an Ad4-model of T~^ if v{^) G {/, T} 

— u is an Ad4-model of if v{^) G {/, _L} 

— u is an Ad4-model of if v{^) G {t, _L} 

Note that T ^ iff the set {F"''V?} is not satisfiable. 

We present now a tableau system which is sound and complete w.r.t 

Definition 2. The Tableau System Tab(Mi): ^ 



Expansion Rules: 



(T+-) 

(F+-) 

(T+A) 



~T^ 

F~if 

A Ip 

T+^p,T+iIj 



(F+A) 



A '0 

F+<p I F+0 



(T+V) 



V 0 

T+p I T+0 



(F+V) 



F'^if V 0 
F+(/j,F+0 



(T+d) 



T + (/5 D 0 

F+<p I T+0 



(F+d) 



F'^ip D 0 
T+(^,F+0 



1 ^(p 

~T^ 

F 

F+p 

T~p A 0 
T~p I T"0 

F~p A 0 
F~p, F~0 

T~p V 0 
T"<p,T"0 

F~p V 0 
F~p I F~0 



(T~-) 

(F--) 

(T-A) 

(F-A) 

(T-V) 

(F-V) 



T pD Ip . . 

T+p,T~'iP 

F+p I F"0 



Closure Conditions: A branch is closed iff for some formula p it contains 
either F^''^^} or F“V^}. 

Theorem 1. A set of signed formulas is unsatisfiable in Ad 4 (i.e.: does not have 
an M^-model) iff it has a closed tableau in Tab{M. 4 ) (i-e.: a tableau in which 
every branch is closed). 

® This system is closely related to the Gentzen-type system for this logic that was 
presented in [1, 9], and its completeness can be derived from the completeness of 
that system. It is however more illuminating to prove it directly. 
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Proof: Obviously, any set T of formulas, for which either of the two closure 

conditions obtains, is unsatisfiable. It is also straightforward to check that for 
every expansion rule R, if T has a model in AI 4 then so does at least one of 
the sets which are obtained from T by R. Together these two facts imply the 
soundness of Ta 6 (Al 4 ) (i.e.: if T has a closed tableau then it is unsatisfiable). For 
the converse it suffices to prove that the set of formulas F of any fully expanded 
open branch (in a complete tableau for T) has the following n as a model: 



f/ 



v{p) = < 



_L 

T 

t 



F+p G r, F~p G r 
T+p G r, T^p G r 

otherwise 



(note that n(p) = t iff either T'^p G F, T~p ^ F or F'*'p ^ F, F“p G F). Indeed, 
the fact that F is open (i.e. contains no subset of the form F“''p} or of the 

form {T~p,F“p}) implies that v is well defined. It also implies that if Sp G F, 
where S is one of the four signs and p is atomic, then n is a model of Sp. Using 
induction on the structure of formulas and the fact that F is fully expanded, it 
is not difficult then to show that n is a model of any formula in F. 



Corollary 1. Let p and tp be formulas in the language of {->, V, A}. Then p 
tp is a valid first degree entailment of the relevance logic R ([3, 4, 19]) iff 

{T+ 

'P,F~^^p} has a closed tableau in Fa 6 (Al 4 ). 



Note. Although we use here 4 signs, these signs do not correspond to the 4 
truth values of the semantics. Indeed, the same signs will be used below (with 
very similar systems) for 3-valued logics, and even for classical logic. 

Note. It is well known from the literature on bilattices (see e.g. [28, 25]) that 
can be identified with {t, /} x {t,f} (so that T represents (t,t), -L repre- 
sents (/, /), t represents (t, /) and / represents (f,t)). This allows an alternative 
presentation of the semantics, using two valuations in {t, /}, representing inde- 
pendent information concerning truth and falsity of formulas (see [38]). We shall 
explain more about this approach in section 3. 



2.2 Three- Valued Logics and Classical Logic 

We consider next two basic three-valued logics, whose matrices are submatrices 
of A 44 . 

Definition 3. The matrix = (Mg*\ 

- M3« = {t,/,T} 

- = {t} 

- The operations in are defined by: 

1. ~^t = f, ~^f = t, = T 

2. a\/ b = sup<^{a,b), a/\b = inf<^{a,b), 
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3. aD b 




ifae dI*^ 



Note. The connective D of was originally introduced by Slupecki in [36]. 
It was independently reintroduced in [32, 39, 35] and [7] (see also [14]). The 
language of is equivalent ([7]) to that used in the logic LPF of the VDM 
project ([30]), as well as to the language of Lukasiewicz 3-valued logic L3 ([31]). 
It is in fact the language of all 3-valued operations which are classically closed. 
It can be shown that by adding one propositional constant to it (corresponding 
to the truth value T) we get a functionally complete set of 3-valued connectives 
(See [8] for further details and references). 



Definition 4. The matrix M. 



{t.T} 



= (M. 






,0 



The operations in are defined by: 

1. = /, ^f = t, -T = T 

2. a\/ b = sup<fia,b), a Ab = inf<^{a,b), 
' b ifaG 

t ifa^ 



3. aD b = 



Note that the main difference between and A4g*^ is in the choice of the 

designated values. As a result, the connective D of is not identical to 

that of A4g*\ despite their similar definitions (the other three connectives of 
Adg*’^^ are identical to their Al|*^’s counterparts). 

Note. The implication connective of was first introduced in [17, 16]. It 

was independently introduced also in [6]. The language of is equivalent 

to that used in the standard 3-valued paraconsistent logic J3 ([18, 6, 34, 20]. 
In [7] it is called Pac), as well as to that used in the semi-relevant system RM3 
([3, 4, 19]. See also [6, 7]). It is the language of all 3- valued operations which are 
classically closed and free ([8]). 

The concepts of Alg^^-model and of Alg^’^^-model are defined now exactly 
as in the case of AI4 (but of course only the available truth-values are relevant. 
Thus practically a valuation v in Alg*^ is an A4g*^-model of if v{t) = t). 



The Tableau System Tab{M.i^^^): This is the system obtained from Ta6(A44) 
by adding to it the following extra closure condition: a branch is closed also 
if for some formula f it contains {T+<^,T"v:>}. 

The Tableau System Ta5(A4g*'^^): This is the system obtained from 
Tab{M.A) by adding to it the following extra closure condition: a branch 
is closed also if for some formula T it contains {F'*' V3,F if}. 
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Theorem 2. 1. A set of signed formulas is unsatisfiable in iff it has 

a closed tableau in Tab{M.]^^). 

2. A set of signed formulas is unsatisfiable in iff it has a closed tableau 

in 



Proof: The proofs of both parts are almost identical to the proof of Theorem 1 . 

The only difference in the case of Tab(j\4^*^) is that the extra closure condition 
rules out the possibility that v(<p) = T for some formula (p, while in the case of 
Tab(A4^*’^^) it rules out the possibility that v((p) = _L. 

Note. Because of the strong expressive power of the languages of and 
Tab(A4^*^) (see [8, 9]), their tableau systems can be used as bases for all other 3- 
valued logics. For example, —>• f), where — *■ is Lukasiewicz 3- valued implication, 
is equivalent in to D ijj) A {-of D This leads to the following 4 

rules for it: 



(T^ 



T+if if 



T+V' I 



F^^,F- 






T ip tjj 
T+^,T-^ 



(T-^) 



(F+^) 



F^ip ■ 



if 



F+p,F+ili I F-if.F-p 



F p 

F+v? I F"V' 



JV(F- 



We end this section with a characterization of classical logic itself: 

Theorem 3. Let Tab{M. 2 ) be the system obtained from Tab(Mf) by adding to 
it both of the extra closure conditions of Tab{JVl^*^) and Tab{Ai^^’^^). Then a 
set of signed formulas is unsatisfiable in classical logic iff it has a closed tableau 
in Tab{M 2 ). 

Proof: The proof is again almost identical to the proof of Theorem 1. Only 

this time the two extra closure conditions together rule out the possibility that 
v{p) G {T,_L} for some formula p. 

Note. It is easy to see that the positive fragments of all the four logics con- 
sidered in this section are identical (i.e. the fragments in which only the signs 
T'*",F'^ and the connectives A,V, and D are used). Hence all these logics are 
conservative extensions of positive classical logic. 



3 Conservative Extensions of Positive Intuitionistic Logic 

3.1 Nelson’s Logics for Negation 

The logics N” and N are conservative extensions of positive intuitionistic logic 
which were independently introduced by Nelson (see [5]) and Kutschera ([37]). 
The motivation for their introduction has been the wish to provide an adequate 
treatment of negative information within the framework of constructive logic. 
See [38] for further details and references. 
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The standard semantics of N” is based on Kripke frames T = 
in which and v~ are valuations from I x T into {t, /} (where T is the set of 
formulas) which satisfy the following two basic conditions: 

(i?+) If a < 6 and ip) = t then p) = t 

{H~ ) li a <b and v~{a,(p) = t then v~ (b,(p) = t 



and V should further satisfy also the following conditions: 



p Alp) = t 


iff 


v'^{a,p) = t and v'^{a,ip) = t 


v~{a, p Alp) = t 


iff 


v~ (a, p) = t or v~ (a, ip) = t 


pV Ip) = t 


iff 


v'^{a,p) = t or {a, Ip) =t 


v~{a, p\/ Ip) = t 


iff 


v~ (a, p) = t and v~ (a, ip) = t 


v^{a, p D Ip) = t 


iff 


for all b > a, either v~^ (6, p) = 


v~{a, p X) Ip) = t 


iff 


v'^{a,p) = t and v~{a,ip) = t 


~^p) = t 


iff 


v~(a,p) = t 


v~{a, ~^p) = t 


iff 


v+{a,p) = t 



/ or v~^{b, tjj) = t 



Call a frame X = ,v~) satisfying the above conditions an N~-frame. An 

N-frame is defined similarly, with one extra condition: that p) and v~ (a, p) 
cannot both be t at the same time. 



Note. It can be shown that it suffices to demand the H(ereditary) conditions 
(i/+) and (i^“) only for atomic formulas. They are imposed then on the set of 
all formulas by the other conditions. 

The semantics of formulas and of signed formulas is defined now as follows. 
Let X = ,v~) be an N”-frame, and let a G I. Define: 



— (X, a) is a N~-model of if p) = t 

— {X,a) is a N“-model of T~p if v~{a,p) = t 

— (X,a) is a N“-model of if v~^{a,p) = / 

— (X, a) is a N“-model of F~p if v~{a,p) = f 



Call now (X, a) an N~-model of an ordinary formula p iff it is an N~-model of 
T^p (iff it is not an N~-model of F'*':/?). Define N-models of signed formulas 
and of ordinary formulas in a similar way, using N-frames instead of N~-frames. 

Note. If we allow only one element in I then what we get is equivalent to 
the four- valued logic of Ad 4. As we have already noted above, it is indeed quite 
common to use two valuations and v~ from T to {t, /} for an equivalent rep- 
resentation of the semantics of this logic ([38]). The conditions concerning 
and v~ are practically identical to those in the case of N~, with only one ex- 
ception: instead of the above condition concerning z:“''(a, p G> ip) = t we have in 
that logic the simpler condition: 

v~^{a,p D Ip) = t iff (a, p) = f or {a, Ip) = t 

It is possible then to define the meanings of the signed formulas in this logic in 
a way which is completely analogous to the way this was done above for N” . 
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We present now tableau systems which are sound and complete with respect 
to N” and N. 



Definition 5. The Tableau Systems Ta6(N ) and Ta6(N) are obtained from 
Tab(A44) and Tab{Ai^^^) (respectively) by replacing their (F’*' d) rule with the 
following pair of rules: 



(F+ 35)^ 

(F+ dY 



D '0 
F+0 

5,F~'‘(/J D 0 
T(5),T+(^,F+0 



Here (F'*' d)'^ is a variant of the usual special intuitionistic rule for refuting 
implication: if S is the set of signed formulas on some branch then T{S) is the 
set of all the elements in S whose sign is either or T”, and an expansion of 
a branch by this rule requires the creation of a new tableau for the set T{S) U 
{T+v?,F+0}. 



Theorem 4. A set of signed formulas is unsatisfiable in N iff it has a closed 
tableau in TabfN^). 



Proof: The proof is similar to the proofs of the soundness and completeness 

of the standard tableau system for propositional intuitionistic logic, or of the 
soundness and completeness of the usual Gentzen-type systems for N“ and N 
(as presented e.g. in [38])"^. An outline of the proof goes as follows. Call a set T 
of signed formulas saturated if it satisfies the following conditions: 



1. r has no closed tableau in Tab{N~). 

2. With the exception of (F^ T respects all the expansion rules of 

Tab(N~) (e.g.: if T^(/j A 0 S F then both € T and T“''0 € F, while if 
F“''(^ A 0 € F then either F"''(/3 S F or F“''0 € F). 



Obviously, if a set A of signed formulas does not have a closed tableau in 
Fa6(N“) then it can be extended to a saturated set Z\*, so that every (ordinary) 
formula which occurs in A* is a subformula of some formula in A. Let / be the 
set of all saturated sets which have this property. Define a partial order < on / 
by: A\ < A2 if either A\ = A2 or T{Ai) C T{A2) (where the inclusion should 
be proper). Define next v~^ and v~ for T G I and p atomic by: v~^{T,p) = t 
iff T^p G F, while v~{T,p) = t iff T~p G F. It is not difficult to show that 
T = (/, <, v~^,v~) is an N”-frame, and that for each T G I, (F, F) is a model of 
all the signed formulas of F. In particular: if A does not have a closed tableau 
in Ta6(N~) then (F, A*) is a model of all the signed formulas in A. 

Theorem 5. A set of signed formulas is unsatisfiable in N iff it has a closed 
tableau in Fa6(N). 

Proof: Similar to the proof of Theorem 4. 

^ The tableau systems we present here are of course strongly related to these Gentzen- 
type systems. 
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3.2 Extensions with Excluded Middle 



It is well known that it is impossible to conservatively add to intuitionistic posi- 
tive logic a negation which is both explosive (i.e.: -k/j, ip \- ifj for all ip, tp) and for 
which LEM (the Law of Excluded Middle: V p) is valid. With such an ad- 

dition we get classical logic. In N (following the tradition of intuitionistic logic) 
the choice was on explosiveness. In the paraconsistent logics of da Costa’s school 
([16, 15]) explosiveness is rejected, while LEM is accepted. Thus da Costa’s ba- 
sic system C^) is a conservative extension of positive intuitionistic logic which is 
obtained from any standard Hilbert-type formulation of this logic by adding as 
axioms ~^p V p and ~^^p D p. We present now a Kripke-style semantics for C^j 
which is similar to that we have presented above for N 



Definition 6. A Ci^-frame is a structure T = {I, <,v~^ ,v ) in which v~^ and v 
are valuations from I x T into {t, /} such that: 



1 . 

2 . 

3. 



There are no a G I and p for which both v~^{a,p) = f and v~{a,p) = f. 
The basic conditions (H'^ ) and (H~ ) above are satisfied, 
and v~ satisfy also the following conditions: 



v~^{a, p Alp) = t iff 

t>+(a, p\/ pj) = t iff 

u+(a, p D tp) = t iff 

-<p) =t iff 

v-\a,^p) = f if 



U+ (a, (/?) = t and v'^{a,tp) = t 

u“*'(a, p) = t or ip) = t 

for all b > a, either v~^{b, p) = f or v~^{b, ip) = t 

v~{a,p) = t 

v+{a,p) = f 



Thus the conditions concerning u"*" are identical to those in the case of , 
and are fully deterministic (given v~). The values assigned to v~ , in contrast, are 
in general not determined by the values assigned by v~^ and v~ to its subformulas, 
and they are only subjected to two constraints (this implies, among other things, 
that it does not suffice to assume conditions {H~^) and (H~) only for atomic 
formulas, since this does not enforce them to hold for arbitrary formulas). 

The concept of a model of a signed formula, and the associated consequence 
relation are defined now exactly as in the case of N“ and N. We present now 
a corresponding tableau system: ® 



Definition 7. The tableau system Tab(Cuj) has the following rules and closure 

conditions: 

Closure Conditions: Like in the case of Tab{JVlj^^'^^), a branch is closed iff 
for some formula p it contains either {T+^,F+V?}, or {T-:^,F-:^}, or 
{F+(/j,F p }. 

® This similarity, and the fact that it needs no new ad-hoc constructs (like the func- 
tion T used in [10]) are the main advantages of our semantics over the older one 
given in [10]. It is also considerably simpler, requiring no complicated conditions of 
the sort of condition Ill.f. from Definition 1 of [10]. 

® This system is closely related, but not identical, to the Gentzen-type system given 
for Cui in [33]. 
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Expansion Rules: The rules (T^->), (F'^-i), (T'*"A), (F'''A), (T’''V), (F'^V), 
(T^ d), and (T”^) of Tab{M.i), as well as (F'*' d)’" and (F'*' d)^ of 
Ta6(N”). 

Analytic Cuts: 

Sip Sp 

T+V- I F+iIj T~iIj I F~iIj 

Where S S {T+,F+,T-,F-} and is a subformula of p 

Theorem 6. A set of signed formulas is unsatisfiable in C^j iff it has a closed 
tableau in Tab(Cuf)- 

Proof: Again we only give an outline. This time we call a set F of signed 

formulas saturated if it satisfies the following conditions: 

1. r has no closed tableau in Tab{Cffj. 

2. If Sp G r then for every subformula if of p^ either T^if G F or F~^ifj G F, 
and either T~if G F or F~if G F. 

3. With the exception of (F'*' F>Y , F respects all the expansion rules of 
Tab{C^). 

Because of the presence of the analytic cuts, it is easy to see that if A does not 
have a closed tableau in Tab{Cff) then again it can be extended to a saturated 
set A*, so that every (ordinary) formula which occurs in A* is a subformula of 
some formula in A. Let I be the set of all saturated sets which have this property. 
Obviously A* G I. Define < on / like in the proof of Theorem 4. Define next n"*" 
and v~ for F G I and p G T recursively as follows: 

— If is atomic, then v^(F^ p) = f iS F^p G F, and v~{F, p) = f ifFF“(^ G F. 

— li p = if I A if 2 then n+(T, = / iff either v~^{F, ifi) = f or n+(r, if 2 ) = /, 

while v~{F, p) = f iS F~p G F. 

— li p = if I W if 2 then v~^{F,p) = / iff v~^{F,ifi) = f and n+(T, ^^ 2 ) = f, 
while v~{F, p) = f iS F~p G F. 

— li p = ifi D if 2 then (T, p) = f iS there exists F* A F in I such 
that v~^{F*,ifi) = t and v~{F*,if 2 ) = /, while v~{F,p) = / iff F“</9 G F. 

— li p = -i'0 then v~^{F,p) = / iff v~{F^if) = /, while v~{F,p) = / iff either 
F~p G F or v+{F,if) = f. 

We proceed next to show that X = (/, <, n“) is a C(^-frame, and that for 

each F G I, (X, F) is a model of all the signed formulas of F. In particular: if 
A does not have a closed tableau in Tab{Cff} then (X, A*) is a model of all the 
signed formulas in A. 

Note. With the exception of (F’*’ d) and (F“ d), it is possible to add to 
Tab{Cff) all the other expansion rules of Tab{A44), and still get a conservative 
extension of positive intuitionistic logic. It is possible also to modify the seman- 
tics in an appropriate way to get soundness and completeness for the resulting 
system. On the other hand by adding (F“ d) to Tab{C^) we get classical logic. 
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Note. The crucial step in the proof of the last theorem is to show that the 
resulting (/, Q,v~^,v~) is indeed a frame. It is at this point where the addition 
of (F~ d) causes the argument to fail. 

One final remark. It is possible to conservatively add a propositional con- 
stant f to all the systems we have discussed above, together with the extra 
closure condition that a branch which contains T^f (and optionally also F^f) is 
closed. Hence we could have assumed that full propositional intuitionistic logic 
is contained in all these systems. It seems difficult to satisfactorily handle intu- 
itionistic “negation” itself within our framework, but this is not so important 
anyway, since this negation is best understood in terms of D and f. 

4 Conclusion and Further Research 

We have presented a simple tableau-based framework with four types of signed 
formulas, corresponding to positive and negative statements about truth and 
falsity. The framework is essentially a generalization and refinement (using two 
extra signs) of Fitting‘s tableau system for Intuitionistic Logic ([21]). We show 
that it can uniformly cope with various kinds of multi-valued logics (even some 
with infinitely many truth values). This includes classical logic, three- valued 
logics, the four-valued logic of logical bilattices. Nelson’s logics for constructive 
negation, and the paraconsistent logic C^j . This uniformity is obviously due to the 
close relationships between the logics under consideration, which our framework 
helps to identify. Accordingly it sheds (so we believe) some proof-theoretical light 
on these relationships (which are often blurred by semantical approaches). For 
example: the tableau system for Nelson’s logic N is simply obtained from that for 
the three valued logic with one designated value by constraining the implication 
rule to discard all formulas with polarity F from the context — exactly the same 
way one obtains a tableau system for Intuitionistic Logic from that of the two- 
valued Classical Logic. Therefore the reason for the constructiveness of Nelson‘s 
negation is clear when seen from this perspective. 

Some problems for future research: 

— Is there a natural characterization of the intuitionistic negation itself within 
the framework presented here? 

— In the semantics given to Ccj there is an essential asymmetry between the 
roles of the positive valuation v~^ and the negative one v~ . What is the deep 
reason for this difference? What kind of logics will be obtained if a dual 
treatment is adopted, and in what contexts may such logics be useful? 

— For the Belnap logic, there is a second set of connectives that is some- 
times considered (the knowledge/information ones). Can these be captured 
by tableau rules too? Can some version of them be added to other logics 
that have been considered above? 

— In general, what other variations can one impose on the tableau rules, and 
what will be the corresponding semantics? Is there some natural way of 
getting the semantic conditions from the tableau rules, beyond a case-by- 
case treatment? 
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— What sort of games can be played with the machinery we have developed 
within our framework? 

— Is there a significant difference in terms of proof-length between the systems 
introduce here and those described in [29] and elsewhere? 
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Abstract. We present an overview of observation logic, an intuitionistic 
modal logic designed for reasoning about approximations and mnltiple 
contexts, and investigate a sequent-calculus formulation for it. Due to 
the validity of an axiom (called T2) which is a weakening of axiom T, 
one needs a labelled version of the sequent-calculus formalism in order 
to satisfy some classical properties, such as cut elimination and the sub- 
formula property. We thus introduce a sequent-calculus formulation of 
OL relying on labelled terms, and use it to show the decidability of the 
logic. 



1 Introduction 

Observation logic (OL, [1, 2]) is a formalization of the way information behaves 
in a partial- observation context, when all knowledge comes from possibly par- 
tial observations. This logic originated as the axiomatization of a satisfiability 
predicate defined over a general kind of algebraic structure, called representation 
system. These structures have been designed as an attempt to provide a con- 
struction which embodies the notion of approximate representation of a system 
(since our observations, being partial, can be seen as a partial description of its 
state), but without having the studied or observed system explicitly represented. 

This constitutes a new and general approach to the problem of reason- 
ing about approximations [3, 4, 5, 6] and about multiple contexts and theo- 
ries [7, 8, 9]. In particular, observation logic is a modal intuitionistic logic with 
a collection of modal operators (denoted Ki) which can all be associated to 
a partial way of considering information about a system. This can be related to 
the use of evidence for producing assertions about the system as in Voorbraak’s 
Nonmotonic Observation Logic [10] but our approach does not rely on defeasible 
observation, so that OL is based on intuitionistic rather than on Reiter’s default 
logic [11]. 

Thus, these modal connectives correspond to an approximation, or similarly 
to a partial observation method. They behave in an S4 way, with a few adap- 
tations. The most important one is that axiom T : Ki tp ^ tp is not valid, 
but weaker versions of this axiom are (namely T2 : Ki Kj ip Kj ip and 
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LT : Ki{Kitf — > (^)). If the latter just characterizes the way knowledge be- 
haves internally, the former is a cornerstone of our approach, as it permits to 
relate knowledge and information between different contexts. 

In the present paper, we give an overview of observation logic and the alge- 
braic structures underlying it, and provide a labelled sequent calculus for it. We 
then show that the calculus is a sound and complete formulation of observation 
logic and that this logic is decidable. 

2 Observation Logic 

In this section, we provide an overview of representation systems and observation 
logic [I, 2]. This logic was designed as an attempt to provide strong theoretical 
foundations to the study of systems where knowledge originates from observa- 
tions, and thus where descriptions of the system have to be considered as partial. 

The motivation for this originates from the remark that in the practice of 
science, the notion of partiality is extremely important for descriptions. Should 
this partiality either come from an impossibility to obtain complete descriptions 
of the studied object (as in physical sciences, where all knowledge comes from 
some actual observation process) and thus be unavoidable, or should it be wanted 
as in many domains of computer science where for efficiency purposes one wants 
to model relevant data only. This second source of partiality corresponds for 
instance to the notion of abstraction in articifial intelligence [3]. However, despite 
its importance, it appears that the notion of partiality of knowledge is not as 
present as it deserves in knowledge representation theories. 

Let us first introduce our basic formalism, namely the representation systems, 
which are a collection of partially-ordered sets, each of them corresponding to 
a set of partial descriptions obtained with one particular way of observing the 
system. These posets are related together by a collection of transformation func- 
tions which express how the different observation methods can be related. Thus, 
the only elements which can be manipulated are partial descriptions of the sys- 
tem. 

2.1 Representation Systems 

Intuitively, one may define an approximation process using the following struc- 
tures: first, the system to be studied and approximated is represented by a poset 
i'Ps,<s) whose elements may for instance be seen as sets of possible states, as 
in a Kripke’s possible worlds approach [12], where the partial order <5 is such 
that if di <5 d, 2 , then d\ is a more precise description of the state of the sys- 
tem than d 2 (in terms of possible worlds, the set of possible states associated 
to d\ is included in the set of possible states associated to ^ 2 ). The result of 
the approximation can also be formalized using a poset {Vat^a)- Then, the 
approximation relation between these two posets can be defined as a Galois 
surjection [13, 14, 15, 16, 17]: 

{Vs,<s} {Va,<a} 
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This provides a natural way to express approximations, as given an element d 
of Vs corresponding to a set of possible states of the system, one associates to 
it the element a{d) of Va which can be seen as an approximate description of 
the state of the system. In particular, it can be seen as an approximation of d, 
since from the definition of Galois surjections, one has: 



This construction can be generalized by considering a collection of approximation 
methods (indexed by elements i of a set X), each defined by a poset {Vi, <i) and 
a Galois surjection {ai,^i). 

Moreover, it is possible to introduce “transformation functions” relating the 
different approximate posets Vi by defining fi\j = 07^ . With these functions, 

one can express relationships between the different approximations of a given 
system, without referring explicitly to the system itself. The definition of Galois 
surjections can be used to identify properties satisfied by the fi\j functions in 
our formalism, which we will use as a characterization of our “transformation 
functions” . This leads to the definition of representation systems. 

Definition 1 (Representation System) 

A representation system over a set of indices X is a pair: 



where for each i G X, {Vi, <i) is a poset and such that the functions fi\j : Vj —>■ Vi 
verify: 



This definition is sufficient for ensuring that all the representations can be 
considered as approximations of a single system, since given a representation 
system S, it is possible to build a poset Vs and a collection of Galois surjections 
{ai,ji) from Vs to Vi such that fi\j = 0^0 yj. 

Example: Time on Earth 

Gonsider the Earth, associate a point of view to each time zone, and de- 
fine each associated poset by taking descriptions of the form G /" ^2 = 
“the local time is between ti and ^2” where t\ and t2 stand for integer hours 
(we do not take minutes into account). These descriptions provide some in- 
formation about an instant on Earth, and a description d\ is less precise 
than d2 if d\ overlaps d2- In this setup, the transformation functions will 
convert time intervals from one time zone to another. For instance, if one 
considers the GMT time and the Pacific one (GMT — 8 h), one has modulo 
24 hours: 



y d gVs, d <s yo a{d) Vd' G Va, d' = ao y{d') 




yd, /.|,(d) = d 



Identity 

Monotony 

Composition 



yd<jd', f^j{d) f,\j{d') 

yd, fi\k{d) < fi\j o fj\^{d) 



/pac|GMT(^l /' h) = {tl — 8) y (^2 — 8) 
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Now, if one considers the time zone of Nepal (GMT + 5M5m), the conversion 
from the GMT time zone to this time zone results in the increase of the size of 
the interval: a time interval from Ih to 2h in the GMT time zone corresponds 
to the interval from 6h45 to 7h45 in Nepal, so that the best description one 
can give is 6 /' 8. More generally, one has: 

/Nep|GMT(^l /" ^ 2 ) = (tl+5) /' (^2 + 6) 

This interval increase corresponds to a loss of information and illustrates the 
composition inequality of the previous definition, since one can write : 

/pac|GMT(G /' h) = (G — 8) y (^2 — 8) 

< (G-9) / (t2-7) 

= /pac|Nep O /Nep|GMT(^l /' h) 

In this formalism, one manipulates approximations and partial descriptions 
of a given system, but the system itself is not explicitly present, except through 
the structure of each poset and the relationship that exist between them. In 
order to provide a general and flexible way to study the behaviour of knowledge 
and information in this formalism, we will now introduce a logical formalization 
of those structures. We obtain a logic, called observation logic, which definition 
comes solely from the use of representation systems as the underlying model. 

2.2 Logical Translation 

Let us first define our langage by the grammar: 

P = AP\±\P\/P\P/\P\P^P\K,P 

In this definition, a term of the form AP stands for an element ip in the set of 
atomic propositions if', and in a term of the form Ki P, the index i stands for 
an element of T. In the following, propositions will be denoted by (p,ip,'d, etc. 

To relate £ 1 , 1 ? and a representation system S = {{Vi} , {fi\j}) over J, we 
will define a collection of interpretation functions |-]i : £ 1 , 1 ^^ ^ P^{Vi) (where 
p^{Vi) stands for the set of ideals, i.e. of downward-closed subsets of Vi). Given 
a proposition tp, its interpretation |i^]i corresponds to the set of elements of Vi 
which, seen as partial descriptions of the state of the system, provide enough 
information in order to prove that property ip actually holds. Now, if a element d 
is in this set, so will be any element d' <i d, since d' provides more information 
than d, which is exactly the definition of an ideal. 

The interpretation functions are defined inductively from the structure of 
terms. For atomic propositions, one has to provide an atomic interpretation 
Vi \ W ^ p^iVi). For classical connectives, the interpretation corresponds to 
intuitionistic logic, since all propositions are interpreted as ideals of a poset. For 
modal connectives, the interpretation relies on the use of the transfor- 

mation functions fi\j, since it is the set of elements of Vi which, after trans- 
formation into Vj by /j|j, lie in the interpretation so that = 



A Labelled Sequent-Calculus for Observation Logic 



21 



[(p V 
[v? A 



t'i(V’) 'Ip £'1' 

VP\M,i U l'lp'\M,i 

n l'ip'\M,i 

{ d I Vd' < d, d! £ ^ d! £ \p}\M,i) 

0 

{ d I fj\i{d) G Mau} 



Fig. 1. Interpretation Function 



{ d I fj\i{d) £ - A pair {S, v) - where S = {{Vi\, {fi\j}) is a representation 

system over I and — > p'^(’Pz)}^ is an atomic interpretation - will be 

called a representation model over X, and let RM(X, be the set of all repre- 
sentation models over X for atomic propositions iF. Given such a representation 
model A4, the definition of is summarized in figure 1 . 

With this interpretation function, it is possible to define a notion of satisfi- 
ability, so as to identify which propositions of do properly correspond to 
the behavior of information in our partial description approach. 

Definition 2 (Satisfiability) 

i. A proposition ip £ is satisfied by a representation model M = (5, v) £ 
RM(X, Ip) (which we denote M. \=s,i.i' ^p) if and only if V i, = 'Pi- 

a. A proposition ip G Cjy, is satisfied by representation systems over X if and 
only if it is satisfied by all representation models over X: 

ip VAd G RM(X, iF), M P 

In the following, for readability reasons, we will drop the X, \P subscripts, 
since we will refer to only one set of indices and one set of atomic propositions. 

2.3 Axiomatization 

We provide an axiomatization of this satisfaction predicate ^5 for representation 
systems by defining the logic OL, as the intuitionistic logic [18, 19, 20] together 
with the modal axioms and rules listed in figure 2 . 

A few comments can be made about OL. First, this logic can be seen as 
a multi-context reasoning logic. As exposed in [ 8 , 21 ], axiom K-modalities is 
a good candidate for defining formal systems about contexts. Moreover, axiom 
T (Kiip — > ip) is not valid, so that in our logic, facts inside a context need 
not be true, which emphasizes the fact that we are considering our contexts as 
approximations [7]. Yet, a weaker axiom (T2 : Ki Kj (p Kj ip) is valid, which, 
while not referring to “reality”, allows to relate different contexts, and thus to 
reason with multiple contexts. 
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Ki{p ^ Z ^ ^ Ki'tp 


K 


Kip ^ -'Ki -<p 


D 


Ki Kj p ^ Kj p 


T2 


Ki {p ^ Ki p) 


L 


Ki{p\/ Z ^ KipV Kill; 


V 



\- ip i, \- Kip 

Nec Univ 

\- Kip \- p 

Fig. 2. Modal Axioms and Rules of OL 



Example: Time on Earth 

In the previous example with time zones, a statement of the form “the local 
time is between ti and ^2” (which we denote ti /“ 1 2) makes no sense, since 
even if it is the case in one time zone, a different time zone will correspond 
to another description of the same instant. And even if an explicit reference 
to a time zone is provided, the given information cannot be used as is in 
another time zone: 

V ^GMT A'pac (ti Z' 12) — > AIgMT (^1 ^2) 

But it is still possible to relate different time zones: suppose I stand in the 
GMT time zone, and from my local time, I can assert that the pacific time 
is between and ^2 at the same moment, then it is actually the case: 

h AIgMT Kpac {tl Z ^2) ^ Kpac {tl Z h) 

This illustrates the role of axiom T2. 

In observation logic, valid propositions are exactly those which are valid in 
every context. The classical Nec-rule tells that valid propositions are valid within 
every context. But the Univ-rule states the converse: if a proposition is valid in 
every context, then this proposition is considered as valid “objectively”, with no 
reference to any context. If there is a single context (I is a singleton {i}), the 
unique modal operator has no meaning, since one has: V (/?, \~ p K,, p. If 
T is finite, this rule is equivalent to the axiom schemata (/\j Ki p) p. Finally, 
we will show later that if I is infinite, this rule can actually be suppressed, since 
if an index i does not appear in a formula p, then proving the validity of Ki p 
is equivalent to proving that of p itself. 

As one might expect, this logic is sound and complete with regards to repre- 
sentation systems, as illustrated by the following proposition: 

Proposition 2.1 

The logic OL is a sound and complete axiomatization of ^5. 
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Proof It is easy to check that |=5 is sound w.r.t. OL by checking that all its 
axioms are valid for representation systems. The completeness proof can be done 
in a classical way using a canonical model [19, 20]. The specific proof for OL 
can be found in [1, 2]. □ 



3 Sequent Calculus 

3.1 Words and Orders 

We first define a few notations for dealing with labels. Let I* denote the monoid 
of words over 2 modulo idempotency (that is finite words over 2 with no subword 
of the form ii for i £ 2). We introduce the following notations: e is the empty 
word, |yl| the length of word A, ■ the concatenation operation and given a word 
d = Ai...A|yi|,rla...&is the word Xa ■ ■ ■ Xb where a and b are integers giving the 
range of the sub-word of A. 

Such a labelling word corresponds to a path along contexts, and all terms 
appearing in sequents will be labelled this way. Intuitively, a term in a sequent 
of the form [(/?j^ will be though of as an equivalent to K\^ . . . K\^ ip. The fact 
that in OL Ki Ki p and Ki p are equivalent justifies the fact that words are 
considered modulo idempotency. 

Let us now introduce two partial orders on 2* . The first one (<) corresponds 
to the word inclusion relation, while the other one (<*) will be used to capture 
the behaviour of axiom T2. 

Definition 3 (Partial Orders on 2*) 

Given two words 22 = w\ . . .ujn and A = Ai . . . Xm, 22 < A if and only if 22 
is a sub-word of A, that is if and only if there exists an increasing function 
cr : [1 . . . n] ^ [1 . . . m] such that Vi, uji = Ao-(i) . 

Moreover, 17 <* A if and only if 22 < A and either 22 = A = e or cui = Xi . 

As said above, the partial order <* has a very close relation to the Ki con- 
nectives, since one can show that if p stands for K\^ . . . K\^ p, then one 
has: 

f2 A ypy p, \- Kap ^ Kq p 

A last point to be noted is that given a word A £2* , the sets {22 \ 22 < A] 
and {22 \ 17 <* A} are finite. Thus, both partial orders are well-founded. 

3.2 Definition of the Calculus 

Our sequent calculus is defined by the rules given in figure 3. In this definition, 
each sequent is of the form [ 71 ]^^ . . . [ 7 n]yi„ Ik Vp\ai each proposition 

appearing in a sequent comes with a label, which we call its localization. The 
use of labels permits to have the subformula property verified, since any modal 
connective can be removed and replaced by an extra index in the localization. 
This is illustrated in the following example: 
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A' <* A 

Axiom 

W\a I*- W \ a ' 



A < A 
Wyl' 



r 1^ [j>]A 
r, Ma ii- bP]A 



Weak 



r, W\a i Vp]a I'" ^ ^ 

Contract 

r , Vp\A 



r\^[^]^ A'<*A 

Cut 

r,A\\-ii) 



V*, r„ It- [v], 
Univ 

r IK 



r, [^]^, ih ^ A' <* A 

Loc 

r , lv]A iKV- 



-r,MyiiKi? rih[v.u -rii-M^ 

VL VJii yR-2 

rih[vW-U riK[vW-L 



ALi AZ/2 

r,[v^AV-Lih^ r,[v^AV-LiK»? rih[^AV-L 



rih[y]^ r,[v>]^ihi? r,[y],tih[^],t 

^ rih[¥.^V’L 



-T, Mi.yl IK [t/-]^/ A'<A 
AL 



M,a 

riK 



AA 



Fig. 3. Sequent-Calculus Rules 



2 <* 2-1 

W\2-l M2 
M2.I [V^'^\2 
[AT2(/?]i IK [K2{ipy Ip)]^ 



j <. 2-1 
bPh-1 M2 
M2.I bv ^]2 
[AT2'!/']i IK [AT2 (<P V '0)]^ 



[7^2 ip'^ K 2 0]i IK [772 (t’ V tp)]^ 



[Ki (772 py K 2 tp)]^ IK [772 {p V 0)]g 
IK [77i (772 V 772 0) ^ 772 (<p V 0)]^ 

First, let us show that our sequent calculus is correct with respects to the 
observational logic OL. 
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Proposition 3.1 

The sequent calculus defined in figure 3 is sound and complete w.r.t. OL. More 
precisely, one has: 

V e hoL [gi\^ 

Proof The =i>-implication can be easily proved by checking that all axioms of 
OL can be derived in the sequent-calculus formalism. In particular, for axiom 
L, one has to use the fact that i ~ i-i for any index i € X. 

To prove the <i=-implication, it suffices to show that all the rules are correct 
w.r.t. the following translation in terms of representation systems: 

[7l]yli • ■ • Mau Ma lih Q {Ka ‘Ph 

j 

It follows from this that one has: 

V (f, koL => 0 Ik [^p\^ => ^5 T koL 



□ 

Now, in order to use this sequent calculus efficiently for the search of proofs, 
two rules deserve attention: the Cut-rule which may introduce new formulas, 
and the Univ-rule, which introduces new indices. In the following section, we will 
investigate some proofs manipulations, and show that the Cut-rule can always 
be eliminated, and that the Univ-rule can be used at most once. 

4 Proofs Manipulation 

4.1 Label Manipulation on Proofs 

We will first study the way localizations behave inside proofs of system Ih. From 
its rules, one can first remark that for any sequent P Ih [^p\A^ all localized propo- 
sition in r is such that A < This result can be shown by induction on 
the height of the proof, since this property appears explicitly in rules Axiom and 
T, and it is preserved by the application of the other rules (and is also explicitly 
demanded for rule KL). 

Another property can be stated: given a proof II of a sequent P Ik ['■p\a-, any 
sequent A Ih \4f\Q in II is such that A< fi. By combining those two properties, 
one gets the following result: 

Proposition 4.1 

Given a proof II of a sequent P Ih any term [iP]a' appearing in II is such 
that A < A'. 

This property suggests an interesting manipulation of the localizations ap- 
pearing in a proof. Given a proof 77 of T Ih \‘p\a, proposition 4.1 asserts that 
any localization 17 in 77 can be written as l7i-772 with A <* 172. One would 
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then want to replace this localization by f2i-A or even for some N <* A. 

Such manipulation is in fact necessary if one wants to have the cut-elimination 
property for Ih, since if one has a proof of 77 of -T Ih then for A' <* A, the 
following provides a proof of 7^ Ih 

77 A' A 

Axiom 

Cut 

r Ih 

In that situation, eliminating the cut implies that one has a way to transform 
77 into a proof of 7^ Ih For this to be done, we introduce an operation on 
words which does the proper manipulation on localizations. 

Definition 4 

Given three words A' < A < fi, we define Q{A<\A') as Q\,,,i-A' where I is the 
greatest integer such that A < . 

This operation works as follows: given two words A and 17 such that A < f2 
(or, stated another way, A is included in 17), one first finds the rightmost way 
to include A into 17, “cuts” 17 at this position, and appends another word N in- 
stead. For instance, adbcdcbad(dba > a) = adbca, as illustrated in the following 
decomposition : 

adbcldcbad adbcja 



Proposition 4.2 

Given two words A < A' , one has: 

17 < 17' 17(4' > 4) < 17'(4' > 4) 

Moreover, if A <* 4', then one has: 

17 <* 17' ^ 17(4' > 4) <* 17'(4' > 4) 

17(4' >4) <* 17 

17 < 17' ^ 17'(17[>17(4'>4)) <* 17' (4' >4) 

As one can see, operation _(_>_) has, considering the previous properties, 
some connections with the transformations functions fiy used in the definition 
of representation systems: the three inequalities for the case 4 <* 4' can be put 
respectively in correspondance with the monotony, identity and composition 
properties of transformation functions. The next proposition shows how they 
can apply to proof manipulation. 

Proposition 4.3 

Every proof II of a sequent E Ih Yp\a can he transtormed into a proof 77' of 
r{A>A') F Vp\a' A' <* 4. Moreover, the structure of If differs only from that 
of 77 by the addition of some applications of the Loc-rule. 

The notation T(At>A') corresponds to replacing each [4 >]q in f by H’]qi^a>A')- 
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Sketch of Proof This result can be proved by induction on the size of the proof, 
and relies mainly on the properties of the operation The main rules to 

be examined are Loc, Cut and — 

The validity of Loc comes from the fact that if N <* A, then _(/![> N) is 
<*-monotonous. The validity of rules Cut and — is a consequence of the “com- 
position” property: if A' A < fl' < C, then one has > f2' {A> A')) <* 
Q{At>A'). □ 



Corollary 4.3.1 

Every proof U of a sequent P Ih can be transformed into a proof IP of 
r Ih for N <* A. Moreover, the structure of IP differs only from that of 
n by the addition of some applications of the Loc-rule. 

Proof It is a combination of the previous proposition and of multiple applica- 
tions of the Loc-rule. □ 

This corollary is the justification of operation since it is the central 

tool for “lowering” the localization on the right-side proposition of a sequent. 
This is necessary for achieving cut-elimination, which is our next topic. 

4.2 Cut Elimination 

The manipulations presented in the previous section are essential for eliminating 
cut, and can be combined with the classical cut-elimination procedure [22, 23, 24, 
25]. The detailed specific proof for OL is long and technical, though it contains 
no special difficulties, and we only provide a sketch of it. 

Theorem 4.4 (Cut Elimination) 

Given a proof II of a sequent P Ih [ 7 )]^, it is possible to transform II into 
a cut-free proof IP of the same sequent. 

Sketch of Proof The proof of this elimination is mainly an adaptation of that 
given in [25]. It based on the use of a well-founded order defined on proofs, and 
on a set of transformation rules which are strictly decreasing w.r.t. this order. 

This order is defined lexicographically as (<cdj <cr, <idj <ps) where <cd com- 
pares the cut depth of proofs (that is the maximum number of Cut rule instances 
present in a branch of the proof tree), <cr correspond to the cut rank of a proof 
(the size of the biggest active term in a Cut rule instance), <id to its logical 
depth and <ps to its size. 

Most rules can be directly adapted from [25], and we present the reduction 
rule for the case where the cut formula is of the form Ki ip, and the two premisses 
are left- and right introductions of the modal connective. Starting from a proof 
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n of the form: 



7Tl 



7T2 



IvK, 

r h [K, ip]^ Z\, [Kiif]y^, h [^]^, 

r,zih[r?]^„ 

one can transform it into the proof II': 



KL 

Cut 



7Tl 



Ch 






7T2 

]*.yl' ^ I’?] A" 



r,Ah[^]^,. 



Cut 



The other important transformation, presented in section 4.1, concerns an 
instance of the Cut rule with the Axiom rule as one is its premisses, and relies 
on Corollary 4.3.1. The complete proof can be found in [2]. □ 



4.3 Univ Limitation 

Another rule which deserves close examination is the Univ-rule. The main prob- 
lem with this rule appears in the case of an infinite index set X, since this would 
lead to infinite proofs. Before tackling this problem, we first show how to have 
a “normal” form of proofs with regards to the Univ-rule when X is finite. 

First, given a proof 7T of a sequent X Ih it is possible to obtain a proof 
of r.i Ih where each localization 17 in 7T is replaced by fi-i. All rules except 

Univ are left unchanged, since they remain valid after adding i on the right of 
the localizations. For the Univ-rule, one just has to select the zth premise, thus 
removing the instance of the rule. This way, from a proof 77 of X Ih one can 
get for each z G X a proof 77^ of X^ Ih which, combining together, provide 

a proof 77' of X Ih with only one occurence of the Univ-rule, at the root. 

Proposition 4.5 (Univ Limitation) 

II X is finite, every proof II of a sequent X Ih [(/?]^ can be transformed so as to 
have at most one instance of the Univ-rule, which instance at the root. 

Now, suppose that one has a proof II of a sequent X^ Ih where i appears 
nowhere in sequent X Ih In that case, it appears that index i is not relevant 
in 77, and one would want to simply erase it from 77. This can actually be done, 
and one has the following proposition: 

Proposition 4.6 

Every proof II of a sequent E.i Ih such that i is not present in the sequent 
X Ih can be transformed into a proof of X Ih without changing its 
structure. 
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Corollary 4.6.1 

Every proof U of a sequent E.i Ih such that i is not present in the sequent 

C Ih can he transformed into a proof of E Ih with no occurence of the 
Univ-rule. 

This corollary comes from the combination of propositions 4.5 and 4.6 since 
starting from a proof II of the sequent, one applies prop. 4.5, selects the ith 
premise of the root and applies prop. 4.6. Since corollary 4.6.1 always applies if 
I is infinite, one has finally: 

Proposition 4.7 (Univ Elimination) 

IfX is infinite, the Univ-rule can be omitted in the search of a proof. 



5 Decidability 

If one excepts the localization-handling rules, the sequent-calculus system as 
given in figure 3 is very close to a formulation of intuitionistic logic. Thus suggest 
to introduce a variant of this system in order to avoid problems related to the 
Contract-rule. One manipulation consists in changing the rules of the sequent 
system so as to have in the left-hand side of a sequent at most one copy of each 
formula. This way, there are no redundancies in sequents, and the Contract-rule 
becomes useless. This manipulation has been introduced by S. Kleene (system 
G3a in [26] p.481, one can also refer to system QJCi in [25] p.36) and is such that 
for an introduction rule on the left-hand side, the obtained term appears in each 
premise. This transformation can easily be applied to our system. For instance, 
rule can be restated as: 

r, [<p ^]a ^ 

With this system, if one does not take localizations into account, there are finitely 
many possible sequents. Now, for the localization-related rules, it can be shown 
that there are also finitely many possible localizations which may intervene in 
the proof of a sequent. This comes from the fact that the Univ-rule may be used 
at most once (prop. 4.5), and the other indices can only be introduced with 
a KL- or a KR-rule. Thus, finitely many sequents have to be considered, so that 
one has: 

Theorem 5.1 (Termination of Proof Search) 

The search of a proof of a sequent with system Ih terminates. 

Corollary 5.1.1 (Decidability of OL) 

OL is decidable. 
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6 Conclusion 

In this article, we have presented an overview of the observation logic. We have 
then studied a sequent-calculus formulation of it. Due to the presence of a special 
modal axiom, namely T2 : Ki Kj (p Kj p, some additions to a “classical” 
formulation are needed in order to have the satisfaction of properties such as cut 
elimination. 

This problem is solved with the use of context path prefixes labelling each 
terms of a proof, ensuring the subformula property by replacing modal operators 
by an additional context in term’s labels. We thus proposed a sequent-calculus 
formulation of OL and have shown its soundness and correctness. Finally, we 
have presented the Cut- and Univ- elimination processes, and shown the decid- 
ability of this logic. 
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Abstract. In this work we investigate bounded Lukasiewicz logics, char- 
acterised as the intersection of the k-valued Lukasiewicz logics for k = 
2, . . . ,n (n > 2). These logics formalise a generalisation of Ulam’s game 
with applications in Information Theory. Here we provide an analytic 
proof calculus GLBn for each bounded Lukasiewicz logic, obtained by 
adding a single rule to GL, a hypersequent calculus for Lukasiewicz 
infinite- valued logic. We give a hrst cut-elimination proof for GL with 
(suitable forms of) cut rules. We then prove completeness for GLBn with 
cut and show that cut can also be eliminated in this case. 



1 Introduction 

Lukasiewicz logics were introduced for philosophical reasons by Jan Lukasiewicz 
in the 1920s [8] and are among the first examples of many-valued logics. Cur- 
rently they are of great importance in several areas of research. Firstly, in fuzzy 
logic [16], where infinite- valued Lukasiewicz logic L, along with Godel logic and 
Product logic, emerges as one of the fundamental “t-norm based” ^ fuzzy log- 
ics [7]. From an algebraic perspective, Chang’s MV-algebras [2] for Lukasiewicz 
logics are of great interest and form the subject of a recent monograph containing 
many deep mathematical results [5] . Lukasiewicz logics can also be viewed from 
a geometric perspective via McNaughton’s representation theorem [9] which es- 
tablishes that formulae in L stand to particular geometric functions as formulae 
in classical logic stand to boolean functions. Finally, various semantic interpre- 
tations of Lukasiewicz logics have been provided, most importantly via Ulam’s 
game, a variant of the game of Twenty Questions where errors/lies are allowed 
in the answers [12, 13]. Ulam’s game models situations in the processing and 
sending of information that might be affected by “noise” (see e.g. [14]), and 
strategies for the game lead naturally to the theory of error-correcting codes. 

^ T-norms are widely used to combine vague information in applications for approxi- 
mate reasoning, knowledge representation and decision making. 
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In [11] an analytic proof calculus GL was defined for L using hypers equents, 
a natural generalisation of Gentzen sequents introduced by Avron in [ 1 ] Sound- 
ness and completeness for GL were proved semantically in [11] via an embedding 
of L into Meyer and Slaney’s abelian logic A, the logic of abelian groups. Hence 
“cut” rules, which permit the introduction of lemmas or intermediary steps into 
proofs, were shown to be admissible for GL without proving cut-elimination, 
i.e. without providing an algorithm for obtaining proofs in GL from proofs in 
GL with cut. 

Bounded Lukasiewicz logics LB„ (n > 2) arise as the intersection of fc-valued 
Lukasiewicz logics, for k = 2 . . .n. Informally they capture the notion of having 
“at most” n truth values, as expressed by the validity of the following sequent- 
style rule: 

n times 

A 

(n-contraction) 

r, A,..., A A 
n-1 times 

Note that in the particular cases where n = 2 and n = 3, LBn coincides with 
classical logic and 3- valued Lukasiewicz logic respectively. Other families of logics 
satisfying (n-contraction) were investigated in [15, 3], and in [3] also an analytic 
calculus for LB 4 was defined. 

In this work we introduce semantic interpretations and analytic proof calculi 
for the family of bounded Lukasiewicz logics. We start in Section 2 by intro- 
ducing finite- valued, infinite-valued and bounded Lukasiewicz logics. We then 
show in Section 3 that bounded Lukasiewicz logics can be interpreted in terms 
of a generalised version of Ulam’s game with applications in Information Theory 
(see e.g. [4]). In Section 4 we recall the hypersequent calculus GL presented 
in [11], and give first proofs of cut-elimination for GL with two forms of cut 
rules. Finally in Section 5 we define calculi for the bounded Lukasiewicz logics 
by adding a single rule to GL in each case. We then prove completeness syntac- 
tically using cut and show that the cut-elimination proofs of Section 4.1 can be 
extended in the presence of this extra rule. 



2 Lukasiewicz Logics 

We start by defining the infinite-valued Lukasiewicz logic L, noting that in this 
work we identify theoremhood in a logic with derivability in the corresponding 
Hilbert-style system. 

Definition 1 (Lukasiewicz Infinite- Valued Logic, L). A Hilbert-style sys- 
tem for L, using the connectives D and _L, consists of the rule: 

{mp) A A B, A together with the axioms: 

B 

Note that a single sequent calculus for L has also been defined in [10] 
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LI A D (B D A) L3 ((A D B) D B) D ((B D A) D A) 

L2 {Ad B)d {{B D C)D {Ad C)) M ((A D ±)D {BD -L)) D {BD A) 

Other connectives are defined as follows: ~^A A D A, A(BB -^A D B 

and Aq B D ~^B). We also adopt the notation below: 

n n 

A ^ B = {Ad B) Q {B D A) n.A = A0...©A = Aq ...Q A 

Remark 1. An alternative Hilbert-style system for L is obtained by adding ax- 
ioms LI and L3 to any axiomatization of the multiplicative additive fragment of 
linear logic^ (see [15]). In particular, axiom L3 allows the additive connectives V 
and A to be defined over the multiplicative ones (© and © or, equivalently, d) 
as follows: A\J B {Ad B)d B and AhB V ^B). 

Hilbert-style systems extending L were provided for the finite-valued Lukasiewicz 
logics by Grigolia in [6] . 

Definition 2 (N-valued Lukasiewicz Logic, Ln). A Hilbert-style system for 
£n consists of the same axioms and rules as L and also: 

Lnb n.AD{n—l).A and Lrfi {p.AA~^) ^ n.AA 

for every integer p = 2 , . . . , n — 2 that does not divide n — 1. 

Remark 2. Axiom L„5 corresponds to the (n-contraction) rule (see [15]). 

Algebraic structures for the above logics are defined as follows, using the same 
notation for algebraic operations as the corresponding connectives. 

Definition 3 (MV-algebra). An MV-algebraf is an algebra A^ = (A,©,-i,A) 
with a binary operation ©, a unary operation ^ and a constant A, satisfying the 
following equations: 

MVl X (B {y (B z) = {x (B y) (B z MV2 x(By = y(Bx 

MV3 X (B -L = X MVA = x 

MV5 X © -lA = MV6 ^(->x © y) © p = ->(^y © x) © x 

We also define: x D y -ix © y and T ^A. 

Definition 4 (MVn-algebra). An MVn-algebra is an MV-algebra satisfying 
the equations: 

{Eno) n.x={n — l).x and {E^p) {p.x^~^)^ = n.x^ 

for every integer p = 2 , . . . , n — 2 that does not divide n — 1. 

® I.e. linear logic without exponential connectives. 

MV stands for many-valued. 
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Valuations for these algebraic structures are defined in the usual way (see, 
e.g., [5]). We say that a formula ^ is valid in an MV-algebra A (resp. in an 
MV„-algebra A) if for all valuations v on A, v{d>) = T. 

We now introduce some important MV-algebras and MVn-algebras. 

Definitions ([— [— l,0]j^ ). Let X (B y = min{0,x + y + 1), ~'X = 
— 1 — x and _L = —1, then [—1,0]^ = ([— 1, 0]r, 0 , _L) is an MV-algebra and 
[— 1, 0]^ = ([— 1, — (n— 2)/(n— 1), . . . , — 1/ (n— 1), 0], 0 , _L) is an MVn-algebra. 

In fact these algebras are eharaeteristic for L and 

Theorem 1 ([2]). The following are equivalent: (1) (f> is a theorem of L. (2) 4> 
is valid in all MV-algebras. (3) 4> is valid in [— 

Theorem 2 ([6]). The following are equivalent: (1) <f> is a theorem of Ln- (2) 
(/) is valid in all MVn-algebras. (3) (f) is valid in [—1,0]^ . 

We now introduce bounded Lukasiewicz logics. 

Definition 6 (N-bounded Lukasiewicz Logic, LB„). A Hilbert-style system 
for n-bounded Lukasiewicz Logic LB^ consists of the same axioms and rules as 
L together with axiom Ln5. 

Remark 3. LB 2 and LB 3 coincide with classical logic and L 3 , respectively. 
LB„ is characterised by the following algebraic structures. 

Definition 7 (N-bounded MV-algebra). An n-bounded MV-algebra is an 
MV-algebra satisfying the equation (ifno)- 

Remark 4- In the above definition, equation (ifno) can be equivalently replaced 
by -'xV {n — l).x. 

Theorem 3 ([5]). The following are equivalent: (1) (f is a theorem of LB^i. (2) 
(j) is valid in all n-bounded MV-algebras. (3) 4> is valid in all MVk-algebras for 
fc = 2, . . . , n. 

Corollary 1. The following are equivalent: (1) cj) is a theorem of LB^. (2) 4> is 
a theorem of £k for k = 2, . . . ,n. (3) (f> is valid in [—1, 0]^^ for k = 2, . . . ,n. 

Proof. Follows immediately from Theorems 2 and 3. □ 



3 Ulam’s Game Interpretation of LBn 

In [12, 13] a semantic interpretation of Lukasiewicz finite and infinite-valued 
logics is defined in terms of Ulam’s game - a variant of the game of Twenty 
Questions, where lies, or errors, are allowed in the answers. Here we show that 
a useful generalisation of Ulam’s game is formalised by the family of bounded 
Lukasiewicz logics LBn. 
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We first recall the connection between Ulam’s game with n — 2 lies and n- 
valued Lukasiewicz logic Ln presented in [5] . An instance of such a game proceeds 
as follows. An Answerer A chooses a number x from a finite subset S of natural 
numbers, called the search space. A Questioner Q then asks “questions” in the 
form of subsets of S. A, who is allowed to lie up to n — 2 times, responds “yes” 
meaning that x belongs to the chosen subset, or “no” meaning that it does 
not. Q’s objective is to identify x. It is well-known that Ulam’s game models 
situations in the processing and sending of information that may be altered by 
some kind of “noise” (e.g. such as transmissions from a satellite). Here Q’s aim 
can be interpreted as discovery of the most efficient way of recovering information 
in the presence of possible distortions; the strategies of Q then lead naturally to 
the theory of error-correcting codes. 

Q’s state of knowledge regarding x is uniquely determined at each point in 
time by a “conjunction” of the answers given by A. In general this conjunction 
fails to obey the rules of classical logic. For example, neither the principle of non- 
contradiction nor idempotency hold. If A answers “x is 2” and then “x is not 2”, 
this is not inconsistent, it just means that A has one less lie to use. Similarly, 
repeated assertions that “x is 2” are more informative than one such assertion; 
indeed n — 1 such assertions guarantee truth. One way of describing Q’s state 
of knowledge is by a function t : S ^ {0, l/(n — 1), . . . , (n — 2) /{n — 1), 1} that 
assigns to each number y G S the truth- value: 



r{y) = 1 - 



answers falsified by y 
(n- 1) 



Intuitively r(y) measures, in units of n — 1, how far y is from falsifying too 
many answers. Accordingly the initial state of the game is the constant func- 
tion 1 over S. Moreover, as demonstrated in [12, 13], at each stage of the game 
both Q’s state of knowledge and A’s replies can be expressed by formulae in 
n-valued Lukasiewicz logic Ln. Hence Q’s ith-state of knowledge is given by the 
Lukasiewicz conjunction 0 of the formulas expressing the jth-state of knowledge, 
for j = 1, . . . , i — 1. If we also define, for every state of knowledge r, a “coars- 
est” state ~^T that is incompatible with r, in the sense that r 0 = 0 (with 

-IT = 1 — r), then we obtain the following characterisation for L„. 

Proposition 1 ([5]). A formula is a theorem of if and only ifd> represents 
the initial state for every Ulam’s game with n — 2 lies. 

We now consider a generalised version of Ulam’s game. In this version A and Q 
agree to split the search space S into n — 2 “parts” Si, . . . ,Sn- 2 , where for 
each S';, A is allowed to lie i times. Equivalently, we could permit the initial state 
to be taken from any of Q’s intermediate states of knowledge of an instance of 
Ulam’s game with n — 2 lies. Here the formulae representing the initial state 
for every generalised Ulam’s game with n — 2 parts coincide with the common 
tautologies of Lk for fc = 2, . . . , n. More formally: 

Proposition 2. A formula <P is a theorem of LB^ if and only if represents 
the initial state for every Ulam’s game with k lies, with k = 0, . . . ,n — 2. 
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Proof. Follows by Corollary 1 and Proposition 1. □ 

This generalised version of Ulam’s game has important applications in Informa- 
tion Theory, modelling search procedures for information with different proba- 
bilities of distortions; for example in transmitting “large” or “short” numbers or 
using different channels or frequency bands to send information (see e.g. [4]). 

4 The Hypersequent Calculus GL 

In this section we present and prove cut-elimination for the hypersequent calcu- 
lus GL defined for L in [11]. Hypersequents were introduced by Avron in [I] as 
a natural generalisation of Gentzen sequents, consisting of a multiset of sequents 
and permitting the definition of rules that “exchange information” between dif- 
ferent sequents. More precisely: 

Definition 8 (Hypersequent). A hypersequent is a multiset of the form 



A h I ... I A h 



where for i = 1, . . . , n, A o,nd Ai are multisets^ of formulae, and Pi h Ai is an 
ordinary sequent, called a component of the hypersequent. 

The symbol “|” is intended to denote meta-level disjunction. In [11] hyperse- 
quents for L are interpreted using the characteristic model [— l,0]j^ as follows: 



Definition 9 (Interpretation of Hypersequents for L). We say that a hy- 
persequent A b Z\ij . . . ]A h An is valid in L, in symbols \=*j^ A b Z\ij . . . ]A h 
An, iff for all valuations v for [—1,0]^ there exists i such that A^gj^u(A) < 
^BeAiV(B), where Sa^$v{A) = 0. 

Remark 5. We emphasize that for formulae, this interpretation gives the usual 
notion of validity for L, ie we have that a formula A is a theorem of L iff |=|^b A. 

Like ordinary sequent calculi, hypersequent calculi consist of axioms, logical rules 
and structural rules. However for hypersequent calculi the structural rules are 
divided into internal and external rules. The former deal with formulas within 
components, while the latter manipulate whole components of a hypersequent. 
Standard external structural rules are external weakening {EW) and external 
contraction {EC): 



G 



G\r h A 



(EW) 



G\r \- A\r h A 
G\r h A 



{EC) 



Note that by using multisets we avoid the need for exchange rules in our calculi 
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where G represents a (possibly empty) side hypersequent. These rules do not 
really increase the expressive power of hypersequent calculi with respect to or- 
dinary sequent calculi since they only apply to one component at a time. A rule 
that allows interactions between different components is the splitting rule (S'): 

G|ri,r 2 h Ai,zi 2 

(S) 

G|A h AiIGj h A 2 



The hypersequent calculus GL is defined as follows: 
Definition 10 (GL). GL has the following axioms and rules: 
Axioms 

(ID) A h A (A) h (T) T h A 

Internal structural rules 



G\r h A 
G|r, A h A 

External structural rules 



(WL) 



G\n b Ai G|T 2 h A 2 



(M) 



Logical rules^ 

G\r,B\- A,A\r A 



G|A,r2 h Ai,A2 
(EW), (EC) and (S) 

G|ri-A G|r,AI-B,A 

0 , 1 ) 



, . , 0,r) 

G\r,A Z)B\-A G|ri-A dB,A 

Example 1. We give a proof in GL of L4, the characteristic axiom for L: 

B h B A h A 

B,A^A,B A hA 



B, A h A,B|B h A 
B,Bd A h A 



(M) 

(BIT) 



0 , 1 ) 



B,A\- A,B 
B,B D A,A\- A,B 



(A D B) D B h 



(WL) 



B,BZ) A \- A, A dB 
B,BdA hA,A 3 BIB D A hA 



(M) 

{WL) 

0,r) 



(EW) 



(AZ) B) Z) B,B Z) A h A 



0 , 1 ) 



(AZ) B) D Bh {B Z) A) D A 



(A,r) 



h ((A 3 B) 3 B) D ((B 3 A) 3 A) 



0,r) 



Soundness and completeness of GL are proved in [11] by relating GL to a hy- 
persequent calculus for abelian logic, and then proving the soundness and com- 
pleteness for this latter calculus semantically. 

Theorem 4 (Soundness and Gompleteness of GL [11]). A hypersequent G 
is derivable in GL iff \=*j^ G. 



In the logical rules, A 3 B is called the principal formula. 
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4.1 Cut-Elimination for GL 



Cut-elimination is one of the most important procedures in logic. The removal 
of cuts corresponds to the elimination of “lemmas” from proofs. This renders 
a proof analytic, in the sense that all formuale occurring in the proof are sub- 
formulae of the formula to be proved. 

In [11] it was shown that the following cut rules are admissible for GL. 

G\r,A\-A G\n\-A,S G\r,A\-A,A 

(cut) {gencut) 

G\r,n\-A,E G|ri-z\ 



Here we prove a stronger result, namely that in GL cut- elimination holds for 
these rules, i.e. that there is an algorithm for transforming a proof of a hyper- 
sequent G in GL -I- {gencut) (resp. GL -|- {cut)) into a proof of G in GL. First 
observe that the above cut rules are interderivable in GL: 



r,A\- A,A 

{EW) 

r\-A\r,A hH,zi 



r, A d A A 



r\- A 



h A h A 
\- A D A 



{A,r) 

{cut) 



r,A\- A n\- A, E 



r,n,A\- A, A, E 
r,n\- A, E 



(M) 

{gencut) 



We therefore prove cut-elimination for GL -|- {gencut) and obtain cut- 
elimination for GL -I- {cut) as a corollary. Our strategy is as follows. We show 
that the logical rules of GL are invertible (i.e. that the premises of the rule are 
derivable if the conclusion is derivable); this allows us to reduce all applications 
of {gencut) to applications of {gencut) on atomic cut formulae. We then show 
that applications of {cut) on atomic cut formulae can be eliminated (required 
to deal with the rule {M)), and finally that applications of {gencut) on atomic 
cut formulae can be eliminated. 

To aid exposition, we adopt the following conventions, where H is a formula and 
if is a multiset of formulae: 



XA = {A, . . . ,A} and XE = E U . . . U E for A > 0 



The following lemmas will be useful. 

Lemma 1 ([11]). If G\F \- E, A is derivable in GL, then G\F \- A, A is deriv- 
able in GL. 



Lemma 2. If G\F \- A, E is derivable in GL, then G\F \- A is derivable in 

GL. 



Proof. An easy induction on the height of a derivation of G\F \- A, E. □ 

In the next two propositions we establish the invertibility of the logical rules. 

Proposition 3. If G\F,A D B \- A is derivable in GL, then G\F h A\F,B h 
A, A is derivable in GL. 
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Proof. We actually prove a more general result (required to deal with the rule 
(EC)), namely that: 

If Q = A, Ai(A Z) B) \- Ai\ . . . |A, Afe(A d B) \- Ak is derivable in GL for 
Ai,...,Afe > 0, then Q' = A b /ii|A,Ai^ b Z\i, Aibl| ■ ■ ■ |A b Ak\Pk,XkB b 
Ak, XkA is derivable in GL. 

We proceed by induction on h, the height of a proof of Q. We assume Ai > 0 
for some i, \ < i < k, as otherwise the proof is trivial. If = 0 then Q = A D 
B \- A Z> B and Q' = b A D B\B \- A D B, A which is derivable in GL. For 
h > 0 there are several cases for the last rule r applied. 

— r is {WL) and we step to: 

A, (Ai - 1)(A DB)h-Ai\... lA, Afc(A D B) b Afc 

so by the induction hypothesis: 

A b All A, (Ai - 1)B h Ai, (Ai - 1)A| ... I A b A^l A, XkB h A^, AfcA 

is derivable in GL; hence Q' is derivable by repeatedly applying (M) and 
(S') (Ai — 1) times together with {EC) and (EW) as necessary. 

— r is (EW), {EC), (S), (D,r) or {WL) and the weakened formula is in one 
of the A’s. These cases involve unproblematic applications of the induction 
hypothesis followed by applications of the corresponding rule. 

— r is (M). We step to: 

rl,fi{AD B)h A\\...\rk,Xk{AD B)h Ak and 
A^ (Ai - ^l){A z>B)hAl\... I A, Afc(A D S) h Afc 

hence by the induction hypothesis twice we get that: 

A^ b A\\rl,fxB h A},/rA| . . . I A b AfelA, AfcS b A^,XkA and 

A' h A2|A^ (Ai - fi)B h Af,(Ai - ^l)A\ . . . lA b Ak\Ek,XkB h A^, Afcbl 

are derivable in GL. Hence Q' is derivable in GL by suitable applications 
of (M) and {EW). 

— r is (d, 1). There are two subcases: 

(a) If the principal formula in {D,1) is in A, for some i, I < i < k, the claim 
follows by the induction hypothesis and two applications of {A,1). 

(b) Otherwise, we step to: 

A,(Ai -1)(A D H) b Ai|A,(Ai - 1)(A D B),Bh A, Ai| . . . |A, Afe(A A 

B)LAk 



By the induction hypothesis we have: 
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A h Z\i I A, (Ai - l)B h (Ai - 1) A Z\i I A , s h A A I A, Ai^ ^ Ai A A I . . . I 
A I" 4ife| A, AfcS h Z\fc, AfcA 

By (Ai — 1) applications of (M) followed by (Ai — 1) applications of (S') and 
(EC) we have: 

A b Ail I A, (Ai -1)B h (Ai - 1)A, Z\i I A , XiB h A, Ai A I A, Ai^ b Ai A, Ai \ 
... I A b Afel A, AfcS b Ak, AfcA 

Hence Q' is derivable by repeatedly applying (M) and (S) (Ai — 1) times 
together with (EC) and (EW) as necessary. □ 

Proposition 4. If G\E h A D B, A, then G\E h A and G\E,A \- B, A are 
derivable in GL. 

Proof. Similar to that of Proposition 3. □ 

We now show that applications of (cut) on atomic"^ formulae are eliminable. 

Proposition 5. If G\E,Xq b A and G'\II b Xq, E are derivable in GL for q 
atomic and A > 0, then G|G"|A II \- A, S is derivable in GL. 

Proof. We prove the more general result that: 

If g = A,Ai 9 b All . . . |A, Afcg b Ak and Q[ = Gi|A b Ei,^iq for i = 
1, . . . , fc are derivable in GL for q atomic and /li > Ai > 0 for i = 1, . . . ,k, then 
g' = Gi| . . . |Gfc|A, A b Ai, Aij ill — Ai)g| . . . | A, A b A^, Afei ilk — Xk)q is 
derivable in GL. 

We proceed by induction on /i, the height of a proof of Q. We assume that 
fii > Xi > 0 for some i, 1 < i < k as otherwise Q is derivable easily using 
iEW) and (M). For h = 0 there are two possibilities. If Q = q \- q then 
g' = Q[ = Gi|A b Ei,^iq which is derivable in GL. If g = _L h A then 
g' = Gi|A b Ai, A; ill ~ 1)-L which is derivable by Lemma 1. For h > 0 we 
have several cases according to the last rule r applied. 

— r is iWL). There are two subcases. 

(a) We step to: Q" = A, (Ai - l)g b Ai| . . . |A, Afc? b Ak 

Since > Ai > 1 we have by Lemma 2 that Q'( = Gi|A b Ai, (/ii — l)q 
is derivable in GL. Hence by the induction hypothesis applied to 
g", g" , g 2 , . . . , g). we get that Q' is derivable in GL. 

(b) We step to: Q" = Pi - {A}, Ai9 b Ai| . . . |A, Afc? b Ak 
and the claim follows by the induction hypothesis and iWL). 

^ Note that an atomic formula is either a propositional variable or _L. 
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— r is {EW), (EC), (d, 1) or (d, r). These involve straightforward applications 
of the induction hypothesis and the corresponding rule. 

— r is (M). We step to: 

Qi = rl,X\q h Al\.. . \Ek,Xkq h Ak and 
Q 2 = r^,Xiqh Aj\...\rk,Xkqh Ak 

By the induction hypothesis applied to Qi £^nd Qi, ■ ■ • , we get that: 

Q” = G\Gi\r^,IIi h A\,Ex, (/ri - X\)q where 

G = G2 I . . . |Gfc|T2, 772 h 7:2 , (m 2 - A2)g| . . . \Ek, 77^ h Z\fe, Sk, (/rfe - Xk)q 

is derivable in GL. Now we apply the induction hypothesis again, this time 
to Q 2 and Q", Q2r • ■ ^ Q'k^ giving that: 

G|Gi|Ti, r2, 77i h A\,Al S,, ((^1 - A}) - Af)g|G 

is derivable in GL. Hence Q' is derivable in GL using (EG). 

— r is {S). We step to: 

Qi = Ei,E 2 ,Xiq, X 2 q h Ai, A 2 \ . . . \Ek,Xkq b Ak 

Since Gi|77i h Ei, giiq is derivable in GL for i = 1, 2 we have that: 

Qi, 2 = Gi|G2|7fi, II 2 b El, E 2 , (^1 + ^2)9 

is derivable in GL by (M) and {EW). So now by the induction hypothesis 
applied to Qi ^tnd Qi 2 j Qsj • • ■ > Qfc we get that: 

Gi I . . . |Gfc|A) 72, 772, 772 b A\, A 2 , Ei, E 2 , ((^1 + fJ- 2 ) — (Ai + A2))(?|G 
is derivable in GL where 

G = Es, 773 b As,E 3 , {^3 — A3)g| . . . |7^fe, 77fc b Ak, Ek, {^k — Xk)q 
Hence Q' is derivable in GL by (S'). □ 

We now show that applications of (gencut) on atomic cut formulae can be elim- 
inated. 

Proposition 6. If Q = Ei,Xiq b zii, Aig| . . . |7^fc, Afcg b Ak,Xkq is derivable 
in GL for q atomic and X\, . . . ,Xk > 0, then Q' = A b Z\i| . . . |A b Ak is 
derivable in GL. 

Proof. We proceed by induction on h, the height of a proof of Q. We assume 
that Ai > 0 for some i, 1 < 7 < fc, as otherwise the claim is trivial. If 7i = 0 
then Q = 9 b g and Q' = b which is derivable by (A). For h > 0 we have 
several possibilities for the last rule r applied. We outline the only non-trivial 
case, where r is (M) and we step to: 
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Qi = rl,^j,q h Z\},7g| . . . |A, Afcg I- Ak,\kq and 

Q2 = r 1 , (Ai - y)q h Af, (Ai - 7)g| . . . \Fk, Xkq Ak,Xkq 

Without loss of generality we assume /r > 7. By the induction hypothesis twice 
we get that: 

Q'l = (m - 7)9 I” ^il ■ • ■ I A I- Ak and Q2 = h Af, (/r - 7)g| ...\Fk\~Ak 

are derivable in GL, so Q' is derivable in GL by Proposition 5 and {EC). □ 

Finally we show that cut-elimination holds for GL -|- {gencut). 

Theorem 5 . If G\F,A \- A, A is derivable in GL, then G\F \- A is derivable 
in GL. 

Proof. We proceed by induction on c, the complexity of If c = 1 then the 
claim holds by Proposition 6. For c > 1 we use Propositions 3 and 4 and apply 
the appropriate logical rules to A = B D C on both sides, giving that: 

Qi = G\F h A\F, Ch A, B and Q2 = G\F, B,Ch A, B, C\F, Bh A, C 

are derivable in GL. By the induction hypothesis twice for Q2 we have that: 

Q3 = G\F^ A\F,B^ A,C 

is derivable in GL. By (M) applied to Qi and Q3 we get that: 

Q4 = G\F h A\F, F,B,C\- A, A, B, C 

is derivable in GL. Hence, applying the induction hypothesis twice to Q4: 

G\F h A\F,Fh A, A 

is derivable in GL. The claim now follows using (EC) and (S'). □ 

Corollary 2 . Cut- elimination holds for GL + {cut). 

Proof. By Theorem 5 and the derivability of {cut) in GL -f- (gencut). □ 

5 Hypersequent Calculi for Bounded Lukasiewicz Logics 

We now return our attention to bounded Lukasiewicz logics, defining the validity 
of a hypersequent in LB„ in terms of its validity in the k-valued Lukasiewicz 
logics for fc = 2 , . . . , n. 

Definition 11 (Interpretation of Hypersequents for Lk). A hypersequent 
G = Fi h Ai \ . . . \Fn F An is valid in £k; in symbols [=7 G, iff for all valu- 
ations v for [— 1,0]|^ there exists i such that EAeFiV{A) < EBeAiV{B), where 

Ea^iIi'v{A) = 0 . 

Definition 12 (Interpretation of Hypersequents for LB„). A hyperse- 
quent G is valid in LB^, in symbols G, iff \=*j^ G for k = 2 , . . . ,n. 
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Remark 6. It follows from Corollary 1 that A is a theorem of LBn iff ^ 

We introduce analytic calculi for LBn based on this interpretation. 
Definition 13 (GLB„). GLB^ has the same axioms and rules as GL and: 



n—1 n— 1 

G| c A h 

G|77i- i:\r\- A 



(nG) 



Remark 7. To obtain a true subformula property for the calculus we can replace 
the occurence of A in the above rule by an atomic formula q with the added 
condition that q must occur in G S A. 



Example 2. As an example we prove the characteristic axiom of LB„. 

A h A A hA 



A h A A, A h A, A 
A h A,^A 



nAh^A (n - 3)^A, ± h A, (n - 2)^A 



(M) 

0,r) 

(M) 



(n - 2)^A, A h A, (n - l)-iA 



(M) 



A hA 



(n — h j4| I — >A 



(nC) 



(n — h A\A h A, ~^A 



(M) 



0 , 1 ) 



-iA I — A (n — 2)-iA h A|(n — 1).A, (n — 3)->A hA 



0 , 1 ) 



(n — 2)-iA h A|(n — 1).A, (n — 2)-iA h A, -iA 



(M) 



n.A, (n — 2)“iA h A 



0 , 1 ) 



n.A, -lA h(n — 2).A 
n.A h (n — 1).A 
h n.A Z) (n— 1).A 



0,r) 

0,r) 

0,r) 

0,r) 



Theorem 6 (Soundness of GLBn). If a hypersequent G is derivable in 
GLBn, then G. 

Proof. We proceed by induction on the height of a proof of G, checking that the 
axioms are valid in GLB„ and that the rules preserve validity, i.e. that if the 
premises are valid in GLBnhen so is the conclusion. Since all but one of the 
cases are essentially the same as for the proof of Theorem 4 given in [11], we 
just check the rule (nC). Suppose that: 
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(1) H il, . . . , If, r, _L h , i;, Zi for = 2, . . . , n 
We check that |=J II \- S\r h zi for fc = 2, . . . , n. 

Consider a valuation v for [— 2 < k < n. If EA^nv{A) < Eb^sv{B) 
then we are done. If EA^nv{A) > Eb^sv{B) then we get: 

0 > E b^sv{B) — EAenv(A) and, since there are just k truth values: 

-l/(n - 1) > -l/(/c - 1) > EBesv{B) - EAenv(A) 

But now, since by (1), we have: 

(n - l){EA(^nv{A)) + EA(^rv{A) + (-1) <{n- 1 ){Eb(^ev{B)) + Eb<^av{B) 
we get that EAerv(A) < Eb^av{B) and II \- E\B h Z\ as required. □ 

We now turn our attention to proving the completeness of GLB„. As a first 
step we show that GLBn + {gencut) is complete. 

Proposition 7. If\~A and \- A D B are derivable in GLB^ + {gencut) then 
\- B is derivable in GEB^ + {gencut). 

Proof. We have that h A and A\- B are derivable in GLB„ + {gencut). Hence 
by (M), A\- A,B is derivable in GLB„ + {gencut), and by {gencut), \- B is 
derivable in GLBn + {gencut). □ 

Theorem 7 (Gompleteness). If a formula A is a theorem of LB^, then h A 
is derivable in GLBn + {gencut). 

Proof. We use the completeness of the axiomatisation for LB„ of Definition 6. 
It is easy to check that GLBn + {gencut) proves all the axioms of LBn, and 
by Proposition 7 also {mp) is admissible in GLBn + {gencut). □ 

We now show that {gencut) can be eliminated from derivations in GLBn + 
{gencut), by checking that the rule {nC) does not spoil the cut-elimination 
procedure for GL outlined in Section 4.1. It is easy to prove that the logical rules 
remain invertible in GLBn by extending the proofs of Propositions 3 and 4. The 
next step is to show that applications of {cut) on atomic cut formulae can be 
eliminated. 

Proposition 8. If G\P, Xq\- A and G'\II h E, Xq are derivable in GLBn for q 
atomic, then G\G'\r,II \- A, E is derivable in GLBn. 

Proof. We follow exactly the proof of Proposition 5 and prove the more general 
result that: 

If Q = Bi,Xiq h Z\i| . . . \Pk, Xkq b Ak and Q{ = Gj|I7j h Ei,fj,^q for i = 1, ..., k 
are derivable in GLBn for q atomic and Hi > Xi > 0 for i = 1, ... ,k, then 
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Q' = Gi \ . . . IGfelA, ill h Ax, Si, (^1 — Ai)g| . . . \Fk, Ilk ^ Ak,Sk, {nk — ^k)q is 
derivable in GLB„. 

As before we proceed by induction on the height of a proof of Q. Here we just 
check the case where the last step is an application of the rule (nC). We step to: 

Qx = {n- 1 )A, A2, ((n - l)Ai + A2)g,_L h (n - l)Z\i,Z\2| . . . lA, Afcg h Ak 

Now, since Gi\IIi h Si, ^,iq is derivable in GLB„ for f = 1,2 we have that: 

Qi,2 = Gi|G2|(n - l) 7 Ti, 712 b (n - l)Sx, S2, ((n - l)/ii + ^2)9 

is derivable in GLB„ by (M) and (EW). So by the induction hypothesis applied 
to Qi and Q[ 2, Q3, ■ ■ ■ ,Q'k we get that: 

Gil . . . |Gfe|(n - 1 )A, (n - l) 7 Ti, T2, IT2, ± h (n - l)Ax, (n - l)Ai, A2, A2, (n - 
l)(/ri - Ai)g, (/J.2 - A2)g| . . . \Ek, Ilk b Ak, Sk, {^J,k ~ Afc)g 

is derivable in GLB„. Hence Q' is derivable in GLB„ by (nC) as required. □ 

We now check that applications of (gencut) on atomic cut formulae can be 
eliminated in GLBn. 

Proposition 9 . If Q = A, Aig b Ai, Aig| . . . | A, XkQ b Ak, XkQ is derivable in 
GLBn for q atomic and X\, . . . ,Xk > 0 , then Q' = A b Ai| . . . |A b Ak is 
derivable in GLBn- 

Proof. We follow the proof of Proposition 6 and just check the extra case where 
the last step in the proof of Q is an application of (nG). We step to: 

(n-l)A, A, ((n-l)Ai + A2)g,-L b (n-l)Ai, A2, ((n-l)Ai + A2)g| . . . |A, Afe? b 
Ak, Xkq. By the induction hypothesis we get that: 

(n - 1 )A, A, A b (n - l)Ai, A2I . . . | A b 

is derivable in GLB„. Hence Q is derivable in GLB„ by (nC). □ 

We arrive at the following cut-elimination theorem for GLBn. 

Theorem 8 . 7 /G|A A \- A, A is derivable in GLBn, then G\P \- A is derivable 
in GLBn- 
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Abstract. A parallel version of Lorenzen’s dialogue theoretic founda- 
tion for intuitionistic logic is shown to be adequate for a number of 
important intermediate logics. The soundness and completeness proofs 
proceed by relating hypersequent derivations to winning strategies for 
parallel dialogue games. This also provides a computational interpreta- 
tion of hypersequents. 



1 Introduction 

In recent years hypersequent calculi have emerged as a flexible type of proof 
system for a wide range of logics (see, e.g., [3, 5, 4]). These calculi share many 
favorable properties with Gentzen’s classic sequent calculi LK and LI. Most 
importantly, cuts are eliminable and the logical rules are strictly analytic — 
i.e., they only refer to immediate subformulas of the introduced formula and are 
context independent. Consequently these calculi are of relevance to automated 
reasoning. However, the relation between hypersequent derivations and the se- 
mantics of the corresponding logics is much more obscure than in the case of 
classical or intuitionistic sequents. Standard completeness proofs for LK and LI 
show how to extract counter models for underivable formulas; it is mainly this 
feature that allows to call (a particular form of) goal oriented proof search in 
sequent calculi ‘semantic tableaux’. Unfortunately, the hypersequent calculi that 
have been formulated for intermediate logics like Godel-Dummett logic Goo i the 
logic LQ of weak excluded middle, or finite-valued Godel logics do not relate 
directly to a semantic foundation of these logics. To address this concern, we 
show that hypersequents bear a close relation to an interesting foundational 
approach that constitutes an alternative to standard Tarski-style semantics: di- 
alogue games. 

2 Lorenzen Style Dialogue Games 

Logical dialogue games come in many forms and versions, nowadays. Here, we 
do not use more recent formulations in the style of Blass [2] or Abramsky [1]^, 

^ These more modern logical dialogue games differ considerably from the orginal ones 
of Lorenzen and his school. In particular, parallelism is introduced already at the level 
of analyzing single connectives. This feature of Blass/ Abramsky style games makes 
them useful for modelling certain features of linear logic and related formalisms, but 
less well connected to the well motivated foundational intentions of Lorenzen. 
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but rather refer directly to Paul Lorenzen’s original idea (dating back to the late 
1950s, see e.g., [15]) to identify logical validity of a formula A with the existence 
of a winning strategy for a proponent P in an idealized confrontational dialogue, 
in which P tries to uphold A against systematic doubts by an opponent O. 
Although the claim that this leads to an alternative characterization — or even: 
‘justification’ — of intuitionistic logic was implicit already in Lorenzen’s early 
essays, it took more than twenty years until the first rigorous, complete and error 
free proof of this central claim was published in [8]. Many variants of Lorenzen’s 
original dialogue games have appeared in the literature since. (Already Lorenzen 
and his collaborators defined different versions of the game. See, eg., [9, 13] for 
further references.) Here, we define a version of dialogue games that are: 1) well 
suited for demonstrating the close relation to analytic Gentzen-type systems; 2) 
easily shown to be equivalent to other versions of dialogue games for intuitionistic 
logic, that can be found in the literature; 3) straightforward to consider ‘in 
parallel’. 

Notation. An atomic formula (atom) is either a propositional variable or 
-L (falsum). As usual, compound formulas are built up from atoms using the 
connectives D, A, V; ^A abbreviates A D _L. In addition to formulas, the special 
signs ?, I?, r? can be stated in a dialogue by the players P and O, as specified 
below. 

Dialogue games are characterized by two sorts of rules: logical ones and struc- 
tural ones. The logical rules define how to attack a compound formula and how 
to defend against such an attack. They are summarized in the following table. 
(If X is the proponent P then Y refers to the opponent O, and vice versa. ^) 

Logical dialogue rules: 



XX: 


attack by Y 


defense by X 


aab 


1? or r? (Y chooses) 


A or B, accordingly 


Aw B 


7 


A or i? (X chooses) 


Ad B 


A 


B 



We will see below that O may also attack atoms (including T) by stating ‘?’. 

A dialogue is a sequence of moves, which are either attacking or defending 
statements, in accordance with the logical rules. Each dialogue refers to a finite 
multiset of formulas that are initially granted by O, and to an initial formula to 
be defended by P. 

Moves can be viewed as state transitions. In any state of the dialogue the 
(multiset of) formulas, that have been either initially granted or stated by O so 
far, are called the granted formulas (at this state). The last formula that has been 
stated by P and that either already has been attacked or must be attacked in O’s 
next move is called active formula. (Note that the active formula, in general, is 
not the last formula stated by P; since P may have stated formulas after the 
active formula, that are not attacked by O.) With each state of a dialogue we 

^ Note that both players may launch attacks as well as defending moves during the 
course of a dialogue. For motivation and detailed exposition of these rules we refer 
to [9]. 
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thus associate a dialogue sequent U \- A, where U denotes the granted formulas 
and A the active formula. 

We stipulate that each move carries the information (pointers) necessary to 
reconstruct which formula is attacked or defended in which way in that move. 
However, we do not care about the exact way in which this information is coded. 

Structural rules {Rahmenregeln in the diction of Lorenzen and his school) reg- 
ulate the succession of moves. Quite a number of different systems of structural 
rules have been proposed in the literature (See e.g., [16, 9, 13]; in particular, [13] 
compares and discusses different systems.). The following rules, together with 
the winning conditions stated below, amount to a version of dialogues tradition- 
ally called i?z-dialogues (i.e., Felscher’s i?-dialogues combined with the so-called 
ipse dixisti rule; see, e.g., [13]). 

Structural Dialogue Rules: 

Start: The first move of the dialogue is carried out by O and consists in an 
attack on the initial formula. 

Alternate: Moves strictly alternate between players O and P. 

Atom: Atomic formulas, including T, may be stated by both players, but can 
neither be attacked nor defended by P. 

E: Each (but the first) move of O reacts directly to the immediately preceding 
move by P. I.e., if P attacks a granted formula then O’s next move either 
defends this formula or attacks the formula used by P to launch this attack. 
If, on the other hand. P’s last move was a defending one then O has to 
attack immediately the formula stated by P in that defense move. 

Winning Conditions (for P): 

W: The game ends with P winning if O has attacked a formula that has already 
been granted (either initially or in a later move) by O. 

W-L: The game ends with P winning if O has granted T. 

A dialogue tree t for 77 h C is a rooted directed tree with nodes labelled by 
dialogue sequents and edges corresponding to moves, such that each branch of 
T is a dialogue with initially granted formulas 77 and initial formula C. We thus 
identify the nodes of a dialogue tree with states of a dialogue. We distinguish 
P-nodes and O-nodes, according to whether it is P’s or O’s turn to move at the 
corresponding state. 

A finite dialogue tree is a winning strategy (for P) if the following conditions 
hold: 

1. Every P-node has at most one successor node. 

2. All leaf nodes are P-nodes in which the winning conditions for P are fulfilled. 

3. Every O-node has a successor node for each move by O that is a permissible 
continuation of the dialogue (according to the rules) at this stage. 

Winning strategies for a player in a non-cooperative two-person game are more 
commonly described as functions assigning a move for that player to each state of 
the game, taking into account all possible moves of the opponent. Observe that 
our tree form of a winning strategy just describes the corresponding function 
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in a manner that makes the step-wise evolution of permissible dialogues more 
explicit . 

As already mentioired, a dialogue game may be viewed as a state transitioir 
system, where moves in a dialogue correspond to transitions between P-nodes 
and O-nodes. A dialogue then is a possible trace in the system; and a winning 
strategy can be obtained by a systematic ‘unraveling’ of all possible traces. 

To illustrate this point, consider the implicational fragment of the language; 
i.e., the set of formulas not contaiiring A or V. Henceforth we use the following 
notation: For every compouird formula F of form C D D, Fp deirotes C and Fc 
denotes D. If F is atomic their Fp is empty (and Fc remains undefined). Fpp is Cp 
if F = C D D. The figure, below, represents all permissible moves in a dialogue 

for this fragment. By labelling a transition with F[ ^ F we denote that F is 
added to the multiset 7T of granted formulas. A <— C means that C, as a result 
of the corresponding move, is the new active formula. 




The encircled labels denote the dialogue sequent at the corresponding state. The 
edges from the P-node to the two O-nodes correspond to the principal choice of 
player P: either to defend the active formula or to attack a compound formula B 
from the granted formulas. (The fact that Ac is undefined if A is atomic means 
that in this case the transition from node P to node 0“ is not possible. This 
corresponds to the stipulation of rule Atom, that atomic formulas cannot be 
defended by P. However, remember that the dialogue is already in a wiirniirg 
state for P if the active formula A is amoirg the granted formulas 77.) 

Oir the other hand, according to the structural rule E, player O has iro choice 
but to attack the last formula of P if P’s last move was a defense (i.e., if the 
dialogue is iir state 0“). Iir state O^, however, O may either defend the attacked 
formula or attack the formula used by P in launching the last attack (‘counter- 
attack’). 

The winning conditions have to be checked at state P only. If T € 77 or 
A S 77 then the game ends in that state with P winning. 

Adding A and V to the language amounts to adding further possible transi- 
tions (betweeir the nodes P and 0“, and P aird O®, respectively). 
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Basic Adequateness of Dialogues 



Proving the adequateness of dialogue games for intuitionistic logic consists 
in showing that winning strategies can be transformed into (analytic) proofs of 
Gcntzen’s well known sequent calculus LI for intuitionistic logic, and vice versa.^ 
To this aim, we use the following variant LI' of LI: 

Axioms: _L, U — > C and A, II — > A 
Logical Rules:"*^ 

A,AvB,n^C B,A y B,n -^c n-^Ai , 

(v>0 77 — -cr— Tir (ViT) 



Ay B,n — > C 
Ai,Ai/\A2,n — > c n 

AiAA2,J7^C 

AdB,B — >A B,AaB,B — >c 

A D B,n ^~c 



A 



n 

n - 



> Ai V A2 
B 



n 



0,1) 



aB 
A,n - 
n 



(A,r) 



B 

A 5~b 



0,r) 



Structural Rules: These are the usual weakening, contraction and cut rules. 

It is straightforward to check that LI' is sound and complete for intuitionistic 
logic. As a corollary, the following holds: 



Proposition 1. A,F — > A D B is provable in LI' only if F — > A D B is 
provable. 



Theorem 1. Every winning strategy t for F \- C (i.e., for dialogues with initial 
formula C, where player O initially grants the formulas in F ) can be transformed 
into an 'Ll' -proof of F — > C. 



Proof. We prove by induction on the depth d of r that for every P-node of r 
there is an Li'-proof of the sequent corresponding to the dialogue sequent at 
this node. That this implies the theorem is obvious for the cases where C is 
either atomic, or a disjunction, or a conjunction; because, in those cases, the 
dialogue sequent at the P-node(s) immediately succeeding the root node is (are) 
identical to F \- C. In the case where C = A D B, the P-node succeeding the 
root carries A,F\-A D B as dialogue sequent; and thus the theorem follows 
from Proposition 1. 

The base case, d = 1, follows from the fact that the P-node (or, in case of C 
being a conjunction, the two P-nodes) succeeding the root is a (are) leaf node(s). 
This implies that one of the winning conditions — CsTorTsT — must 
hold. Consequently, the corresponding sequent F — > C is an axiom. 

For d > 1 we have to distinguish cases according to the form of the active 
formula that is defended or the (compound) formula that is attacked by P. 

® Quite a few proofs of the adequateness of dialogue games for characterizing intu- 
itionistic logic can be found in the literature. Since we will build directly on such 
a proof — also in going beyond intuitionistic logic — we have to present our own 
version of it, which draws on ideas from [13, 14] and [8] but differs in a number of 
essential details. 

^ Since T is in the language, we do not have to consider empty right hand sides of 
sequents. 
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To keep the proof concise, we will only elaborate it for the implicational 
fragment of the language; it is straightforward to augment the proof to cover 
also conjunctions and disjunctions. 

1. P defends A D B: Let A,II\-A D B he the dialogue sequent at the 
current P-node. P moves from the P-node to the CP-node by stating B. O 
has to reply with a move attacking B. We distinguish two cases: 

(a) If B is an atom then the attack consists in stating Thus we return to 
a P-node with dialogue sequent A,II \- B. By the induction hypothesis 
there is an Disproof of A, II — > B, which can be extended to a proof 
of A, n — > A D B hy applying rule (D,r) and weakening. 

(b) If B is of form Bp D Be then O has to attack B by adding Bp to the 
granted formulas 77. Thus we return to a P-node with dialogue sequent 
A,Bp,n h B. By the induction hypothesis there is an LI'-proof of 
A,Bp,n — > B. By Proposition 1 we obtain an LI'-proof of A, 77 — > B. 
The required proof of A, 77 — > A D 77 is obtained by applying rule 
(D,r) and weakening. 

2. P attacks D Z) E: Let 77 D 77, 77 h A be the dialogue sequent at the 
current P-node. P’s attack consists in stating 77. (The move refers to the 
edge from node P to node in the state transition diagram, above.) 
The strategy then branches since O may either defend the implication or 
attack 77. 

(a) If O chooses to attack 77 then Dp is added to the granted formulas if 
77 = Dp D Dc- If 77 is atomic the multiset of granted formulas remains 
unchanged. In any case, 77 is the new active formula at the succeeding 
P-node. The corresponding dialogue sequent is (1) 77^,77 D 77, 77 h 77, 
where Dp is empty if 77 is atomic. 

(b) If, on the other hand, O chooses to defend 77 D 77 then it has to grant 77. 
The active formula at the succeeding P-node remains A. The correspond- 
ing dialogue sequent is (2) 77, 77 D E, II \- A. 

By the induction hypothesis there are Disproofs of the sequents correspond- 
ing to (1) and (2). By Proposition 1 we may remove Dp from the left hand 
side of the sequent corresponding to (1). Therefore we obtain a proof of 
77 D 77, 77 — > A by combining the two proofs with an application of rule 
(D,0- □ 

Remark 1. For proving the soundness of dialogue games (by this we mean that 
winning strategies only exist for intuitionistically valid sequents) it would in fact 
not have been necessary to refer to formal derivations. It rather suffices to check 
that intuitionistic validity transfers from the leaves of a dialogue tree upwards 
to the root. However for the following completeness proof the special format of 
the intuitionistic proofs is essential. 

The ‘weakening friendly’ formulation of the axioms and rules of LI' allows 
to eliminate applications of the weakening rule. (Weakenings in LI'-proofs can 
be moved upwards to the axioms, where they are obviously redundant.) Also 
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the contraction rule becomes reduirdant if we disregard multiple occurreirces of 
the same formula iir the left hand side of a sequeirt. Most importairtly, LI' is 
complete also without cut. Let as refer to a proof that does irot coirtain airy 
applications of structural rules as strongly analytic. The following proposition 
then sums up the just made observations. 

Proposition 2. There is a strongly analytic proof in LI' for T — > C if and 
only if r' — > C is provable in LI', where T' equals T if taken as set (i.e., if 
multiple memberships of the same element are discarded). 

Theorem 2. Every strongly analytic JA' -proof tt of E — > C can be transformed 
into a winning strategy for E \~ C . 

Proof. We proceed by induction on the depth of tt. Again, we show the theorem 
only for the implicational fragment of the language. 

If r — > C is an axiom the winning strategy (consisting of two nodes) is 
obvious. There are two cases to consider for the induction step. 

1. 7T Ends with an Application of (D,r): The end sequent is of form E — > 
A B. 

By the induction hypothesis there is a winning strategy r for A^E \- B. t 
can be extended to a winning strategy for E \- A D B as follows. We define 
a new root node; i.e., an CP-node with dialogue sequent E \- A D B. To 
this root we attach an edge that leads to a new P-node. The corresponding 
move of O consists in granting A as an attack on A D B. Therefore the 
dialogue sequent at the new P-node is A, T h A Z) B. We now only have to 
add an edge from this node to the root node of r. This edge corresponds to 
P stating B in defense oi A Z) B. 

2. 7T Ends with (D,1): The end sequent is of form A D B,E — > C. 

By the induction hypothesis there is a winning strategy ti for AZ) B,E \- A, 
and a winning strategy T 2 for B,A Z) B, E \- C. Let rf be the tree, rooted in 
a P-node with dialogue sequent A Z) B,Cp, Ap, E \- A, that is obtained from 
Ti by removing its root and adding Cp to the granted formulas. We appeal to 
the general fact that a winning strategy for TT h E is also a winning strategy 
for C, TT h E. Similarly let rf be the tree obtained form T 2 that is rooted in 
a P-node with dialogue sequent B,Cp,A Zi B,E \- C. The construction of 
the winning strategy for A D E, E h C is illustrated in the following picture 
that refers to the state transition diagram, presented above. 
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From now on we use the term 1-dialogues to denote the dialogues that have 
been described in this section. 



3 Hypersequent Calculi for Intermediate Logics 



Intermediate logics (when identified with the set of its valid formulas) include 
intuitionistic logic and are included in classical logic. To introduce communicat- 
ing parallel dialogues that are adequate for some well known intermediate logics 
we have to switch from sequent to hypersequent calculi. 

Hypersequent calculi arise by generalizing standard sequent calculi to re- 
fer to whole contexts of sequents instead of single sequents. In our context, 
a hypersequent is defined as a finite, non-empty multiset of Ll^-sequents, called 
components; written in form 






Cl 






c„. 



The symbol “|” is intended to denote disjunction at the meta-level. 

Like ordinary sequent calculi, hypersequent calculi consist in axioms as well 
as logical and structural rules. The latter are divided into internal and external 
rules. The internal structural rules deal with formulas within components, while 
the external ones manipulate whole components of a hypersequent. The standard 
external structural rules are external weakening and external contraction: 



n 



n 



c I n 



{EW) 



n 



-4 C I 77 — >c\n 
n — >c\n 



{EC) 



We can disregard {EW) by taking as axioms all hypersequent that contain an 
LI' -axiom as component. 

The logical rules of the hypersequent HLI' for intuitionistic logic, are es- 
sentially the same as in LI'. The only difference is the presence of a side hy- 
persequent 77, representing a (possibly empty) hypersequent. For instance, the 
hypersequent version of the Li'-rule (D,0 is 



Ad B,n 



A \ H B,A D B,n 



C I H 



( 3,0 



Ad B,n — >c\H 
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The hypersequent framework allows one to define analytic calculi for several 
important intermediate logics. These include Godel-Dummett logic Goo (also 
called LC) [6, 11], finite- valued Godel logics G„ [11], and the logic LQ of weak 
excluded middle [12], also called Jankov logic in reference to [12]. Adequate 
calculi are obtained by adding just one structural rule, respectively, to the basic 
hypersequent calculus HLI', defined above. 



— The hypersequent calculus HLG' for Gqo is obtained from HLI' by adding 
the following rule, a version of which has already been defined in [3]: 



Hi, Ha — > Cl I H Hi, Ha — > Ca j H 
Hi — > Cl I Ha — > Ca I H 



(com) 



— The hypersequent calculi HG'fe_|_i for Gfc+i, for all k > 1, are obtained by 
adding to HLI' the following rules, respectively, which (essentially) were 
defined in [4]: 

H I Hi, Ha Ai H I Ha, Ha ^ Aa ... H | A, A+i ^Ak 

H I Hi ^ Ai I . . . I A ^ Afc I A+i ^ T ^ 



Note that Ga is nothing but classical logic Gl. 

— The hypersequent calculus HLQ' — a variant of which was defined in [5] — 
is obtained from HLI' by adding the following rule: 



H I H, H — > T 
H I H — > T I H — > T 



ik) 



Theorem 3. HLG', HG'„, and HLQ' are sound and complete for the logics 
Goo; G„, and LQ, respectively. 

Proof. Follows essentially from the soundness and cut-free completeness of the 
original calculi proved in [3], [4], and [5], respectively. □ 



4 Parallel Dialogue Games 

To extend the close correspondence between strongly analytic sequent proofs 
and winning strategies for Lorenzen style dialogues to the hypersequent level 
we ask the following: what happens to the winning powers of P if we consider 
games where dialogues may proceed in parallel? Of course, this question can only 
be answered once we have defined more precisely what we mean by ‘parallel 
dialogue games’. Many options are open for exploration. Here, we investigate 
parallel versions of I-dialogue games, that share the following features: 

1. The logical and structural rules of I-games remain unchanged. Indeed, or- 
dinary I-game dialogues appear as sub-case of the more general parallel 
framework. 

2. The proponent P may initiate additional I-dialogues by ‘cloning’ the dialogue 
sequent of one of the parallel I-dialogues, in which it is her turn to move. 
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3. To win a set of parallel dialogues the proponent P has to win at least one of 
the component dialogues. 

These items reflect basic decisions concerning ‘parallelization’. In particular, 
it should be clear that we want to separate the level of individual dialogue 
moves strictly from the initiation of new dialogues and the interaction between 
dialogues. Moreover, we like to consider P as the (sole) ‘scheduler’ of parallel 
dialogues. (These features should be contrasted with alternative concepts of 
dialogue games, like the ones in [1, 2].) 

Before exploring rules for the synchronization of parallel dialogues, we will 
investigate parallel I-dialogues as specified by conditions 1-3, alone. We will see 
that this results in a game that does not change the winning powers of P over 
the (single) I-dialogue game. 

Notation. A parallel 1-dialogue (P-l-dialogue) is a sequence of nodes con- 
nected by moves. Each node v is labelled by a global state A global state 

is a non-empty finite set {iTi \-^i Ci, . . . ,7T„ \-^n Cn} of indexed 1-dialogue se- 
quents. Each index uk uniquely names one of the n elements, called component 
dialogue sequents or simply components, of the global state. In each of the com- 
ponents it is either P’s or O’s turn to move. We will speak of a P-component 
or an O-component, accordingly. We distinguish internal and external moves. 

Internal Moves combine single I-dialogue moves for some (possibly also none or 
all) of the components of the current global state. An internal move from global 
state {TTi \-,i Ci, . . . , 7T„ \-,n C„} to global state {77( C(, . . . , C^} 

consists in a set of indexed I-dialogue moves {di : movei, . . . , dm ■ movem}, such 
that the indices dj, 1 < j < rn, are pairwise distinct elements of tn}. 

n'k C'fe denotes the component corresponding to the result of movefe applied 
to the component indexed by ifc if fc G {ii, . . . , im}', otherwise Ilk = n'k and Ck = 
C'k- 

External Moves, in contrast to internal moves, may add or remove compo- 
nents of a global state, but do not change the local status (P or O) of existing 
components. 

For now, we define only one external move, called fork. 

fork is a move by P and consists in duplicating one of the P-components of 
the current global state and assigning a new unique index to the added 
component. 

Clearly, fork corresponds to item 2 in the above list of basic features of our 
parallel dialogue games. We call the new index generated by fork a child of the 
original index of the duplicated component. 

The central condition in the definition of a P-I-dialogue is the following: 

— each sequence of I-dialogue moves, that arises by picking at most one element 
d : movei from each of the consecutive internal moves, such that for all 1 < 
i < n either i\i -\-l] = d or -|- 1] is child of d, forms an I-dialogue. 
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The initial global state S(y) — that is the state labelling the root node v 
of a P-I-dialogue — consists only of O-components. We speak of a P-I-dialogue 
for S{iy). 



Example 1. We exhibit a P-I-dialogue for V a, for some atom a. Remember 
that ~^a abbreviates a D _L: 



{^1 “' flVfl } 

j{l : ?[attackV]} 

{hi -laVa} 

{fork : 1 

{hi -'flVfl, l~2 -<aVa} 

{{1: -lo [defense V|], 2: a [defense Vr]} 
{hi -la, h2 a} 

{{ 1 : a [attack d], 2 : a [attack atom]} 
{a hi -ifl, h2 a} 
j{l : ± [defense d]} 

{a hi ±, h2 a] 
j{l: ? [attack atom]} 

{a hi ±, h2 a} 



Alternative P-I-dialogues for V a are possible; but it is easy to check that 
none of these dialogues lead to a state where player P is winning. However, we 
will see below that a special synchronization rule, which is adequate for classical 
logic, allows to extend this dialogue to a winning strategy for ~^a V a. 

The parallel version of the dialogue game may be viewed as a finite collection 
of state transition systems that are coordinated by referring to a global, discrete 
flow of time. At each time step some (possibly also none or all) of the component 
dialogues advance by one move. In a fork-move the component dialogues remain 
in their individual current states but a new dialogue, that copies the state of one 
of the old ones, is created. 

Observe that our definition of a P-I-dialogue game allows for considerable 
flexibility in ‘implementing’ the involved parallelism. We may, for example, re- 
quire that all component dialogues have to advance at each time step; or, al- 
ternatively, that at most k dialogues may advance simultaneously (even if there 
are more than k components.) The latter option might, e.g., be understood as 
modeling a dialogue game where P and O, are not single persons, but rather 
consist of teams of k players each, and where each component dialogue is con- 
ducted by a different pair of opposite players. If, instead, we stick with a single 
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proponent and a single opponent (i.e., k = 1) it seems natural to ‘sequentialize’ 
by dove-tailing the components of parallel moves. This motivates the following 
definition: 

~ A P-I-dialogue is called sequentialized if every internal move is a singleton set. 

In the proof of Theorem 1 it was essential that full cycles of moves in a win- 
ning strategy — from a P-state to an O-state and back again to a P-state with 
an immediately responding move of O — correspond to a single inference step 
in LI^ However, even in sequentialized P-I-dialogues such cycles may be inter- 
rupted by internal moves referring to other components or by external moves. 
We therefore define a P-I-dialogue to be normal if the following condition holds. 
Every internal move that contains a P-move indexed with tfc 

— is immediately followed by another internal move with a t/c-indexed element 
(O-reply), 

— or, else, is the last move in the component dialogue referred to by ik. 

Remark 2. In combination with structural rule E (see Section 2), the conditions 
for normality can be understood as the stipulation that the proponent of a par- 
allel dialogue game is the sole ‘scheduler’. In other words — although P has 
no control over choices of O as long as they are immediate replies to her own 
previous move — P always determines at which dialogue component the game 
is to be continued. 

Theorem 4. Every finite P-l-dialogue 6 for E can be translated into a sequen- 
tialized normal P-l-dialogue for E ending in the same global state as S. 

Proof. Sequentialization is easily achieved by replacing every internal move 
{ tl : movei , ,m: move„ } by a sequence { tl : movei m : move„ } of inter- 
nal moves. (Observe that, by the definition of an internal move, the indices n are 
pairwise different and therefore refer to different components of a global state.) 

To obtain a normal dialogue, assume that S is already sequentialized. Un- 
less S is already normal, it contains a subsequence of at least three moves 
: movei }, {t2 : move 2 } ..., {in : move„}, where il = m, but d ^ il for 
all 2 < i < n, and where move„ is an I-dialogue move by O, that di- 
rectly reacts to movei by P. Clearly, reordering the sequence of moves into 
(il : movei}, {tn: move„}, {i2 : move 2 }, . . ., {i[n-l] : move„_i| results in the same 
final global state. Note that — disregarding proper notation — the moves 
|t2: move 2 | to {b[n — 1] : move„_i| may actually also be external moves without 
affecting the result. The claim follows by repeating this rearrangement of moves 
as often as possible. □ 

Note [Important]. For the rest of the paper we will consider all parallel 
dialogues to be sequentialized and normal. Sequentialization implies that, just 
like for I-dialogues, we can speak of P-moves and O-moves of P-I-dialogues. 
(fork also is a P-move.) Since the set parentheses are redundant in denoting 
moves of sequentialized dialogues, we will omit them from now on. 
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A P-I-dialogue tree t for A is a rooted, directed tree with global states as 
nodes and edges labelled by (internal or external) moves such that each branch 
of r is a P-I-dialogue for E. 

A finite P-I-dialogue tree is called a winning strategy if the following 
condition is satisfied for every node v: 

(p) either i/ has a single successor node, the edge to which is labelled by a P- 
move, 

(o) or for each O-move that is a permissible continuation of the dialogue at 
global state E{i^) there is an edge leaving i/ that is labelled by this move, 
(w) or is a leaf node and at least one of the components of E{v) fulfills the 
winning conditions (for P). 

Nodes satisfying (p) are called P-nodes; and nodes satisfying (o) are called O- 
nodes. Observe that, by normality, P-moves and O-moves strictly alternate in 
each branch, except for the initial segment (consisting of more than one con- 
secutive O-nodes, in general) and external moves (which, in general, result in 
consecutive P-nodes). 

Theorem 5. Every winning strategy r for sequentialized normal P-l-dialogues 
with initial global state {E h C} ean be transformed into an HIA' -proof of E — > 
C. 

Proof. We show by induction on the depth of r that for every P-node of r 
labelled with global state E, there is an HLI'-proof of the corresponding hy- 
persequent [A]. Since the branches of r are normal and sequential dialogues, 
edges of r that correspond to internal moves are translated into corresponding 
inference steps using logical rules of HLI', exactly as in the proof of Theorem 1. 
Moreover, if the winning condition is fulfilled for one of the component dialogues, 
then the global state clearly corresponds to an axiom of HLI'. 

It remains to show that also fork translates into external contraction (EC): 
Suppose © — > © is an edge of r corresponding to a last fork- move of a branch 
of T. Then the global state at E{v') is like E(iy) except for an additional dialogue 
sequent E \-^i A, where the index d is not yet used at v, but where, for some 
ij, E hy A is an element of E(iy). Clearly, the required HLI'-proof of [A(r/)] 
is obtained from by adding an appropriate application of (EC) as the last 
inference. □ 

Again, we call cut-free proofs without applications of (internal or external) 
weakening or internal contraction strongly analytic. 

Theorem 6. Every strongly analytic HIA' -proof tt of the hypersequent E — > C 
can be transformed into a winning strategy t for P-l-dialogues for {T — > C}. 

Proof. Since tt is strongly analytic, there are no applications of internal struc- 
tural rules. The logical rules of HLI' translate into full P-O-P-cycles of internal 
moves, exactly as in the proof of Theorem 2. It remains to show that external 
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weakenings correspond to fork-moves for P-I-dialogues. It suffices to consider 
a sub-proof of tt ending with the inference 



n 



D\n — > D\n 
n — > D\n 



{EC) 



By induction hypothesis there exists a winning strategy r' for {7T ha D} U 
{7T ht 2 D} U (7f), which has to be extended to one for {7T ha D} U (7f), where 
{H) denotes the set of dialogue sequents corresponding to the components of Ti. 
This is easily achieved by inserting a new edge corresponding to an appropriate 
instance of the fork-move immediately after the initial (internal 0-)move of t' . 

□ 



5 Synchronizing Dialogues 

Synchronization between I-dialogues is formalized as merging of two or more 
dialogues into one according to the following general principle: P selects (for 
merging) some P-components from the global state. The picked components 
are then merged into a new dialogue in some straightforward way. For some 
synchronization rules, there are different possible ways to merge the components 
picked by P. In those cases O may choose one of them. 

In [10] the following (two-part) synchronization rule for Godel-Dummett 
logic Gqo was already discussed briefly: 

Ic- P-part: P picks two (indices of) P-components iTi ha C\ and II2 h^ C2 
from the current global state and thus indicates that 7Ti U II 2 will be the 
granted formulas of the resulting merged dialogue sequent. 

Ic- O-part: In response to this external P-move, O chooses either Ci or C 2 
as the active formula of the merged component, which is indexed by tl 
or i2, correspondingly. 



Not only infinite valued Godel logic can be characterized by an appropriate 
parallel dialogue game, but also each of the n- valued Godel logics G„. Here is 
the appropriate synchronization rule, parameterized by n, where n >2: 

En - P-part: P picks n — 1 P-components 7Ti ha Gi, . . . iT„_i h^[„_i] Cn-i, 
and a P-component of form 7T„ h^^ T from the current global state for 
merging. 

En - O-part: O chooses one of the components 7Ti U II 2 ha C\, 7 T 2 U h^ 
G 2 , ... or 7T„_iU77„ hq„_ij Cn-i as the merged component, that replaces 
the components picked by P. 

Note that for the case of two truth values, i.e., for classical logic, no proper choice 
is left for O; hence E2 can be stated simpler as follows: 

cl (= g 2 ): If the global state contains a P-component of form 7T h^ T then 
P may remove this component and add U to the granted formulas of 
another P-component of the global state. 
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In other words, if P detects that in one of the components she faces the task to 
defend falsum, then she may cancel the corresponding I-dialogue while transfer- 
ring its currently granted formulas to another P-component of her choice. 

Example 2. Rule cl allows P to continue the parallel dialogue for V a in 
Example 1 as follows: 

{a hi ±, \~2 a} 
jcl:l,2 

{a hi a} 

P wins! 





Replacing cl by the following subtle variant, allows to characterize Jankov 
logic LQ, which allows P to win every dialogue for a formula of form ~^A V 

Iq: If the global state contains a P-component of form 7T h^ _L then P may 
remove this component and add U to the granted formulas of another 
P-component of the global state, which also has _L as active formula. 



We summarize the above synchronization rules and provide names to the 
resulting systems of parallel dialogue games in the following table. 

Parallel dialogue games extending P-I-games: 

(All dialogue sequents exhibited in the table are P-components) 



System 


Rule 


Synchronization (external merging move) 


P-G 


Ic 


P wants to merge Hi \~a Ci and IJ2 ht2 C2 
0 chooses either U\ U II2 ha C\ or Hi U H2 ha C2 


P-Gn 


Sri 


P wants to merge Hi ha Gi, and . . . H„_i ht[„_i] Gn-i, and H„ h^n 
0 chooses either Hi U H2 ha Gi, H2 U H3 ha G2, ... 

or IJn—l U Tin h /,[n — 1 ] Gn — 1 


P-Cl 


cl= g 2 


P merges H ha -L and P ha G into H U P ha G 


P-LQ 


Iq 


P merges H ha -L and P ha -L into H U P ha -L 



Let us call parallel dialogues that are defined exactly as P-I-dialogues, except 
for including one of the rules Ic, g„, or Iq, P-G-, P-G„-, and P-LQ-dialogues, 
respectively. 

Theorem 7. Every winning strategy r for sequentialized normal P-G- (P-Gn~, 
or P-EEl-) dialogues with initial global state {T hi A\ can he transformed into an 
HLC' (HG'n-, or HiLQ' -) proof 7T of the corresponding hypersequent E — > A, 
and vice versa. 

Proof. Given the proofs of Theorems 5 and 6, it remains to show that the syn- 
chronization rules Ic, g„, and Iq correspond to the hypersequent rules (com), 
(g„), and (Iq), respectively. We present the case for lc/(com); the other cases are 
similar or simpler. 
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(^). Suppose ©I — >© is an edge of r which corresponds to an instance of 
Ic. The relevant part of r looks as follows. We use Fp to denote A if F is of form 
A D B; otherwise Fp is empty: 

^(Vo), {Cp,B\ hii C, Dp,Il2 \~i2 D} C S(vo) 




where S{F) = E{v) - {©, 7 Ji h,i C, Fp, 7 T 2 F} U {©, TTi, Fp, 7T2 C} 
andr©") = F©)-{Cp, 7 Ji Ki C, Dp,H2 K2 F}U{©, TJi, Fp, 7T2 K2 F}. By 
induction hypothesis there exist HLC'-proofs tTv' and 'Ky" of the corresponding 
hypersequents [E{v')] and [F(j/")], respectively. Clearly, TTy> and tt,^" can be 
joined by an application of (com) to obtain the required proof of [F(t'o)]. 

(<i=) Suppose 7 T contains a subproof that ends in an application of the 
communication rule. (To make the proof more transparent we disregard side 
hypersequents.) 




, F2 



c 



, 1I2 



D 



Fi 



c I n. 



D 



(com) 



By induction hypothesis there exist winning strategies t\ and T2 for {Fi,F2 hti 

C} and {Fi, F2 F}, respectively, that are of following form: 

(g{Fi,F2 h.i C} @{Fi,F 2 h.2 F} 

|l: attack on C l 2 : attack on D 

m:(^{©,Fi,F 2 h.i C} h .2 D} 

/ / 
n t2 



A winning strategy for {Ui \~a C, II2 F} is obtained by attaching to 




the nodes for the two parts of external move Ic illustrated in case (=^), above, 
where node fj, is identified with node vq. Finally, the sub-strategies r( and T2 are 
attached by identifying node v' with node /ii and node v" with node ^2- 
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Abstract. Several variants of a first-order simplification rule for non- 
normal form tableaux using syntactic constraints are presented. These 
can be used as a framework for porting methods like unit resolution or 
hyper tableaux to non-normal form free variable tableaux. 



1 Introduction 

Non-clausal form analytic tableaux have a number of advantages over the proof 
procedures for clausal form implemented in most successful automated theorem 
provers. For instance, when the logic is enhanced by modal operators, clausal 
form cannot be used without previously translating the problems into first- 
order. Another case is the integration of automated and interactive theorem 
proving [1, 8], where normal forms would be counter-intuitive. Unfortunately, 
standard non-normal form tableaux tend to be rather inefficient, as many of 
the refinements available to clausal procedures are hard to adapt. Typical cases 
in point are unit resolution, especially for propositional provers like the Davis- 
Putnam-Logemann-Loveland (DPLL) procedure [7] , the /3'^ rules of the KE calcu- 
lus [6], the application of ‘result substitutions’ in Stalmarcks Procedure [17], and 
hyper tableaux [2] . The common feature of these techniques is that they involve 
inferences between several formulae derived from the formula to be proved, either 
by using one formula to simplify another one, or — for hyper tableau — making 
tableau expansions depend on the presence of certain literals on a branch. 

In [14], Massacci presents a simplification rule for propositional and modal 
tableau calculi. This rule is of the form 

■0 simp 0[0] 

0 0 



where 0[0] is the formula that results from first replacing all occurrences of 0 
in 0 by true, and if 0 = ->0', all occurrences of 0' by false, and then applying 
a set of boolean simplifications of the form 

^true^ false, -^false ^ true, trueAcf^cj), false A 4> ^ false, etc. 



M. Cialdea Mayer and F. Pirri (Eds.): TABLEAUX 2003, LNAI 2796, pp. 65—80, 2003. 
(c) Springer-Verlag Berlin Heidelberg 2003 
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to eliminate all occurrences of truth constants. Massacci shows that proof proce- 
dures using this rule can subsume a number of other theorem proving techniques 
for propositional logic, e.g. the unit rule of DPLL [7], the rules of KE [6], the 
regularity restriction, and hyper-tableaux [2]. This is done mainly by specifying 
the strategy of when and where to apply the simp rule. 

While DPLL and hyper-tableaux are originally formulated for problems in 
clause normal form (CNF), the simplification rule is applicable to arbitrary pred- 
icate logic formulae, making it a good framework to generalize CNF techniques 
to the non-normal form case. Massacci gives variants of the simplification rule 
for various modal logics. In [13], he also gives a variant of the rule for first-order 
free- variable tableaux. Unfortunately, this rule does not in general subsume first- 
order versions of unit-resolution, hyper-tableaux etc., because it places strong 
restrictions on the instantiation of free variables. 

This paper presents variants of the simplification rule for first order logic 
which overcome this limitation. The rules were first introduced in [9], but the 
proofs of most of the theorems were only sketched there. 

2 Simplification with Global Instantiation 

Consider a free- variable tableau branch with the formulae p(X)Vg(X) and 
where X is a free variable. If X were instantiated with a, the disjunction could 
be simplified to q{a). Our task is to find a version of this ground simplification 
that works with free variables. The step from a ground version to a free variable 
version of a rule or a proof is usually referred to as lifting. 

One possibility for lifting the simplification rule consists in applying a sub- 
stitution to the whole proof, that unifies certain subformulae, so that a simpli- 
fication becomes possible. 

Such a rule would be formulated using the most general unifier (mgu) of 
the simplifying formula and some subformula of the simplified formula. A little 
care must be taken to prevent the instantiation of bound variables by such 
a unifier. We call (an occurrence of) a subformula f oicf simplifiable, if no variable 
occurring free in f is bound by cj). So p{x) is simplifiable in 3y.(q(y) Ap(cc)), but 
not in 3x.{p{y) Ap{x)). It is also simplifiable in (3x.g(a;)) Ap{x), because the 
quantifier does not bind the x occurring free in p{x) . 

Using this notion, a simplification rule with global instantiation can be 
given d 

simp 

(j) 

where /i is a mgu of 4> and some simplifiable subformula of if, and /i is applied 
on all open branches. 

^ We use a non-standard notation for tableau rules: the formulae on the left are re- 
quired to be on the branch and are replaced by the ones on the right. This notation 
has the advantage of making clear which formulae need to be retained after the rule 
application. 
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While this approach is sound, it relies on the application of a global instan- 
tiation for the free variables. The problem with such a rule is that it introduces 
a new backtracking point, because the applied unifier might not lead to a proof. 
Not only does this make the rule unsuitable for a backtracking free proof proce- 
dure. It is also problematic for a backtracking prover as efficiency will suffer if 
more backtracking points than necessary are introduced. 

3 Lifting with Constrained Formnlae 

A universal technique for avoiding the global application of substitutions is to 
decorate the formulae on tableau branches with unification constraints. A uni- 
fication constraint C is a conjunction of syntactic equalities between terms or 
formulae, written as 

Si = & . . . & Sfc = t}^ 

We use the symbol = for syntactic equality in the constraint language to avoid 
confusion with the meta- level =. Let 

Sat(C) = {a I for all z, a{si) equals a{ti) syntactically} 

be the set of ground substitutions satisfying a constraint. A constraint is called 
satisfiable, if Sat(C) is not empty, which means that there is a simultaneous 
unifier for the pairs {si, ti}. A constraint C subsumes a constraint D, iff Sat(Z?) C 
Sat(C). Two constraints C and D are equivalent, iff Sat(C) = Sat(Z?). 

A constrained formula is an ordered pair ^ <C C of a formula (j) and a con- 
straint C. The intuition is to consider the formula <j) as present, only if the free 
variables are instantiated in a way that satisfies the constraint. The empty con- 
straint, which is satisfied by all ground substitutions, is usually omitted. Instead 
of globally applying a mgu of two formulae (j) and tp to the proof, when a rule 
application requires some instantiation of free variables, we can annotate the 
formulae resulting from the rule application with a constraint (f> = which is 
a local operation that does not lead to a backtracking choicepoint. For instance, 
simplification of p{X) V q{X) with ~^p{a) requires instantiation of X with a 
leading to false V g(a) <C A = a, which is rewritten to q{a) <C X = a. 

Obviously, if formulae (pi <C Ci which already carry constraints are involved 
in a rule application, the conjunction Co & Ci . . . has to be passed on to the 
resulting formulae. This is referred to as constraint propagation. Constraints are 
propagated through rule applications, until a branch is closed. Closure between 
two literals L C and ~^L' ^ C' is only allowed if the constraint CSzC = L' 
is satisfiable. 

Using unification constraints, the simplification rule takes the form 



oO 



z/’<C 

(p-€.D 



Simp 



tp<^C 

(p<^D 

m('0)[m(^)] <. {C k D k(p = f) 
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where ^ is a simplifiable subformula of ip, /i is a mgu of ^ and (p, and CSzDSzcp = ^ 
is satisfiable. 

The simp'^^ rule keeps an unsimplified copy of ip C on the branch. This 
will change in later versions. An immediate consequence of keeping both origi- 
nal formulae is that completeness follows trivially from the completeness of the 
calculus without simplification. We only need to ascertain soundness. 

Theorem 1. The tableau calculus with constrained formulae using the simp‘^^ 
rule is sound, i.e. if a proof exists for a finite set of formulae, then that set is 
unsatisfiable. 

Proof. Let ct be a closing substitution for the tableau. This means that a assigns 
a ground term to each free variable that occurs on the tableau, so that under 
(T, every branch contains a complementary pair of literals with constraints sat- 
isfied by CT. Consider the ground proof-tree obtained by replacing each formula 
(p on the tableau by cr{(p). In particular, this implies omitting any formulae with 
constraints that are not satisfied by ct. Tableau expansions for formulae with 
unsatisfied constraints are left out. For a /3-expansion this means that only one 
of the branches needs to be kept, it doesn’t matter which. 

There is then a complementary pair on each branch of the resulting ground 
proof. Furthermore, as constraints can only be strengthened by rule applications, 
all proof steps needed to derive the complementary pair are still present in the 
reduced proof. Simplification steps are transformed into instances of the ground 
simplification rule 

Ip Ip 

cP ^ cP 

iP[(P] 

It remains to show that this ground version of the rule is sound. For this, it is 
sufficient to show that in any model where ip and (p hold, ip[cp] also holds, which 
immediately follows from the definition of ip[(p]. □ 

It is a little misleading to call simp'^^ a simplification rule, because the orig- 
inal formula ip C has to be retained for completeness. Indeed, one cannot 
simply delete the original formula, because there is no guarantee that the clos- 
ing instantiation of the proof will be such that the simplification is possible. 

There is however an important special case: if the ‘new’ part of the constraint 
D k (p = f subsumes the ‘old’ part C, the original formula ip C may be 
discarded, because this means that the simplification step is valid in all ground 
instances of ip allowed by the constraint C. Let simp^^ be the rule obtained with 
this modification. 

Theorem 2. The simp^^ rule is sound. It is also complete, in the sense that 
a branch that can be closed under some a after applying a sequence R of ex- 
pansion steps, can still be closed under a by a modified sequence R' after an 
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application of the simp'^^ rule. Moreover, there is such an R' that is at most as 
long as the original R.^ 

Proof. Soundness may be shown as for simp'^^, see Theorem 1. 

Completeness would be difficult to show by a Hintikka-style argument, be- 
cause of the destructive nature of simp’^^. Apart from that, such a proof would 
not yield the statement about the proof sizes. We shall construct i?' from R 
by a proof transformation, in which rule applications on (descendants of) a dis- 
carded original formula C can either be applied to (descendants of) the 
simplified or simplifying formula, or be discarded altogether. 

In case the simp'^^ application does not discard the original formula, we can 
simply take R' = R. Assume that the original formula is discarded. In that 
case the new constraint CSzD&:(j) = f, is equivalent to C. We also assume 
that the closing substitution a satisfies C, because otherwise, the simplification 
step could not be useful to close the branch, and R' could be constructed by 
simply leaving it away. In particular, we thus have a G Sat(Z9) and cr(^) = a(f). 
We now ‘factor’ the replacement of if by p{ip)[p{(j))] into a sequence of simpler 
replacements and show for each of these how R is transformed. 

Firstly, as cr satisfies C, a{p{ip)) = a{ijj). This implies that if can be replaced 
by p(if) in the original branch, and the derivation R still closes it under a. 

After this, the calculation p(if)[p{(f)] from p{if) consists in replacing occur- 
rences of a sub-formula of p{if) by true or false, and performing a number of 
boolean simplifications in the result. 

With the formula cf D on the branch, let us replace an occurrence of p{(f) 
in p(if) by true. Let R' mimic all the proof steps in R except those which concern 
the sub-formula which has been replaced by true. If the replaced occurrence in 
if has positive polarity, i.e. it is in the scope of an even number of negations, 
then R produces the formula p{(f) ^ C, while R' produces true ^ C. The proof 
steps of R on p{cf) C are transformed to R' by applying them on the formula 
cf D, which is also on the branch. The applicability of tableau rules depends 
only on the top level junctors and quantifiers, so all rules that are applied on 
can also be applied on cf. The constraint D on (f is also no problem, as the 
closing substitution a satisfies D. If the occurrence is of negative polarity, R' 
produces the formula false <C C, which immediately closes the branch under a. 
The dual case, where —>(f <C I? is on the branch, and a sub-formula is replaced 
by false is exactly symmetric. 

It remains to show how that boolean simplification steps don’t affect com- 
pleteness. We will look only at some representative cases. Assume that an occur- 
rence of A A true is replaced by A in if. Again, we let R' mimic the original proof 
steps until a rule must be applied on the simplified sub-formula. Depending on 
polarity, we now have only A instead of A/\ true, resp. ^A instead of ^(AA true). 
In the first case, an a rule application in R only leads to an additional literal 
true, which is useless for the proof, so all later proof steps in R can be applied 



^ Note that the simp'^^ application is not counted in R' . So the overall proof size may 
increase by 1. 
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in R' . In the second case, the (3 rule application in R leads to one branch with 

and one with ^true. We can use the proof steps of the former to finish R' . 

We now consider the case where an occurrence of A A false is replaced by 
false in ip. Again depending on polarity, the proof steps of R now produce false 
instead of AA false, resp. true instead of ^{A A false). In the first case, the false 
literal can be used to close the derivation R' immediately. In the second case, 
the P split in R produces one branch with ^A and one with ^ false. As the latter 
formula cannot be used to close the branch, we can take the rule applications 
of R on that branch to complete R' . 

Other boolean simplification steps for quantifiers and negation can be han- 
dled similarly. □ 

The simp‘s rules enjoy an interesting relative termination property, which it 
shares with the a and /3 rules, namely that only a finite number of simplification 
steps can be performed without intervening 7-expansions, under certain side 
conditions. Call two constrained formulae (p C, ip D variants, if C and D 

are equivalent and for all a G Sat(C'), a{(p) = cr{ip). E.g. p(X) X = a and 

p{a) <C A = a are variants. 

Theorem 3. Starting from a given tableau branch, only a finite number of a, 
P, and simp^^^ rule applications without intervening applications of the 7 rule 
are possible, if simp'^^ is never applied twice to the same pair of constrained 
formulae, and any formula which is a variant of a formula already present on 
a branch is discarded. The same is true for the simp'^^ rule. 

Proof. A formula (p can only be simplified by setting one of its subterms to 
true or false, and the resulting simplified formulae are all smaller than cp. So 
the number of distinct formulae that can be generated is finite. On the other 
hand, all constraints that could be generated are conjunctive combinations of 
existing constraints and syntactic equations between subformulae of formulae 
on a branch, so there can be only finitely many non-equivalent constraints. Ac- 
cordingly, the number of non-variant constrained formulae must be finite. For 
simp'^^, formulae are occasionally discarded from a branch. This implies that 
even less rule applications are possible, so the same argument holds. □ 

As a practical consequence of this finiteness property, there is no need to 
interleave 7 and simp‘s applications in a proof procedure to guarantee fairness. It 
is possible to apply all possible simplifications before considering an application 
of the 7 rule. 

4 Dis-unification Constraints 

Although the simp"^^ rule permits the original formula ip C to he deleted 
from the branch in some cases, it will usually have to be kept. This can lead 
to redundancies as exemplified by the following tableau branch for the set of 
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formulae {p{a),q{a),^p{X) V ^q{X) V r{X)}: 

1 : p{a) 

2 : q{a) 

3 : ~^p{X) V Vr(X) 

4 = simp{3, 1) : ^q{a) V r(a) <C X = a 

5 = simp{3, 2) : ^p(a) V r(a) <C X = a 

After generation of 4, formula 5 is redundant, because if A is actually instan- 
tiated with a as the constraint of 5 demands, formula 3 could have been dis- 
carded after generating 4. q{a) only needs to be used to simplify 4, leading to 
r(a) A = a. In the presence of a large formula and many simplifying literals, 
a large number of such redundant formulae may be generated. 

One way of overcoming this problem is to record instantiations under which 
a formula could have been discarded in the constraint. To do this, we have 
to require the constraint language to be closed under negation (denoted ‘!’) as 
well as conjunction. The resulting constraint satisfiability problems are known 
as dis-unification problems, see e.g. [5], so I will talk of dis-unification or DU 
constraints. 

A little care has to be taken with the semantics of DU constraints: Some 
DU constraints that are not satisfiable in the current signature might become 
satisfiable when the signature is extended. E.g., ! A = a, is not satisfiable in 
a signature consisting only of the constant symbol a, but it is satisfiable in 
any extended signature. In our context, satisfiability should be considered with 
respect to a possibly extended signature, because new skolem symbols might be 
introduced at a later point. In practice, it turns out that the satisfiability and 
subsumption checks actually get simpler with this definition. The same effect for 
term ordering constraints was noted in [15]. 

Using DU constraints, the simplification rule can be reformulated as follows: 

'0<C' Simp‘S tl)<^ C k \{D k (j) = ^) 

kDk(t> = i) 

where ^ is a simplifiable subformula of tp, pis a, mgu of ^ and (p, and CkDkcp = ^ 
is satisfiable. 

This rule differs from simp'^^ in that the constraint of the original formulae 
Ip is changed by adding \{D k (p = ^) . What this means is that the formula is no 
longer available for simplification steps requiring an instantiation under which 
this simplification would have been possible. 

We now allow formulae with unsatisfiable constraints to be discarded, as they 
cannot contribute to tableau closure anyway. One easily checks, that this makes 
it possible to discard ip at least in all those cases, where simp'^^ allows it. 
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The example above now becomes 

1 : p{a) 1 : p{a) 

2 : q{a) ^ 2 : q{a) 

3 : -^p{X) V ^q{X) V r{X) 3 : ~^p{X) V ^q{X) V r{X) <^\X = a 

4 : -^q(a) V r(a) X = a 

The constraint \ X = a now prevents the simplification of 3 with 2. But we can 
perform a second simplification step by simplifying 4 with 2, which changes the 
constraint of 4 to X = a & ! X = a, which is unsatisfiable, so 4 can be discarded 
after adding the literal r{a) X = a. 

The simp'^'^ rule enjoys similar properties as simp'^^, as the following theorem 
shows. 

Theorem 4. The simp‘^'^ rule is sound. It is also complete in the sense of The- 
orem 2. 

Proof. Soundness follows from Theorem 1, as strictly less rule applications are 
possible than with simp'^^. Completeness is shown using the same technique 
as for Theorem 2. We take the addition of the DU constraint into account by 
considering three cases, depending on which of the constraints involved in the 
simp‘^^ application are satisfied by the closing substitution a. If a does not 
satisfy C, any proof steps on tjj C can be left out anyway, as they do not 
contribute to the closure of the subtableau. If tr G Sat(C'), but a ^ Sat(D & 
(/) = ^), we can perform all extensions as in R, because a satisfies the changed 
constraint C & \{D b,(j) = f). Finally, if cr € Sat(C) and a G Sat(I? & </> = ^), we 
perform the proof transformation as in the proof of Theorem 2, considering the 
original formula to be deleted, because its constraint and the constraints of any 
formulae derived from it is not satisfied by cr. □ 

The principal drawback of the simp‘^^ version of our simplification rule is 
the high complexity of dis-unification. As a compromise, it is possible to keep 
unification (U) and dis-unification (DU) parts of constraints separate and to 
weaken the DU part of constraints if convenient. The unification part has to be 
left alone, as it is relevant for soundness. The DU part only serves to reduce the 
necessary proof search, so it may be thrown away without losing correctness. 

One possible approach consists in restricting oneself to conjunctive dis-uni- 
fication constraints [11], which are constraints of the form Cq & ! Ci & ! C 2 . . ., 
where the Ci are conjunctive unification constraints as in Sec. 3. Here, Cq is the 
U part and ! Ci & ! C 2 . . . the DU part of the constraint. The DU part of the 
constraint of a formula is discarded before it is used to simplify another one, in 
order to maintain this form for all constraints. Satisfiability and subsumption 
(for possibly extended signatures) are fairly easy to check for these constraints. 
In fact, it is shown in [11], that the conjunctive DU-constraint is satisfiable in 
a possibly extended signature, exactly if Cq is satisfiable and Cq is not subsumed 
by any of the Ci. 
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5 Using Universal Variables 

In practice, the simplification rules as outlined above tend to require a lot of in- 
stances of 7-formulae. E.g., given the formulae {p{a)^p{b),p{c),\/x.^p{x)\/ q{x)}, 
one can produce after one 7 expansion the literals q{a) X = a, q{b) X = b, 
and q{c) X = c. But these literals have mutually contradictory constraints, so 
any further rule application or closure can involve at most one of these literals. 
One needs three instances of the 7 formula to produce the compatible literals 
q{a) <C V = a, q{b) X2 = b, and q{c) <^^3 = 0. But with three instances, 
not only these three useful literals are deducible, but a total of nine g-literals 
coming from the simplification of each instance ~^p{Xi) V q{Xi) with each of 
the three p-literals. As all of these will subsequently be used to simplify any q- 
subformula on the branch, this can quickly lead to a huge (though finite) number 
of rule applications. 

One way to reduce the number of distinct instances of 7 formulae is to use 
universal variables, see e.g. [ 4 ]. A free variable x is called universal with respect 
to a formula (j) 011 ^ tableau branch, if Wx-fj) is a logical consequence of the 
formulae on a branch. All other free variables are called rigid. This property is 
of course undecidable. In practice, one uses simple sufficient criteria to detect 
universality of free variables, the most common one being to flag all free variables 
introduced in a 7 extension as universal, and to preserve universality through 
all non-splitting rule applications. After a (3 rule application, those free variables 
which occur on more than one of the subformulae become rigid. The benefit 
of universal variables is that they may be instantiated independently for all 
formulae and may also be renamed as needed, whereas rigid variables have to 
be instantiated identically on all branches. 

I shall write [X](j) C for a constrained formula with universal variables X. 
Using universal variables, the following derivation is possible: 



The resulting literals are no longer incompatible, because X may be instantiated 
differently for each of them. It is of course possible to eliminate the universal 
variable and constraint altogether in these literals, but that is a technical opti- 
mization which is not strictly necessary. 



p{a) 

p{b) 

p{c) 



Sxsimp 



p{a) 

p{b) 

p{c) 



'ix.^p(x) V q{x) 
\X]-.p{X) V q{X) 



\/x.^p{x) V q{x) 

[X]^p{X) V q{X) <!A = a& !A = 6 & !A = c 
[X]g(a) < X EE a 
[X]q{b) <^X = b 
[A]g(c) <C A = c 
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Formally, in a simplification, all free variables in the result that were universal 
in one of the original formulae may be flagged as universal in the result [ 11 ]: 

[X] ll,<^C [X]V'<C'&!p&</.= 0 

[Y] <i) ^ [Y](j) < D 

[X U Y]fi{^P)[fi{(j))] <^{CkDk(j) = 0 

where ^ is a simplifiable^ subformula of V', is a mgu of ^ and 0 , and Ck,D&L<j) = C 
is satisfiable. 

This rule is sound and complete for the free-variable tableau calculus with 
universal variables. Completeness can be shown by a combination of the tech- 
nique used in [ 8 ], Sect. 7.4, for showing completeness of tableaux with universal 
variables, and the proof transformation technique of Theorems 2 and 4. By 
contrast, the termination property does not hold anymore, if universal vari- 
ables are used. To apply the rule, it is necessary in general to re- 

name universal variables in the original formulae to make them disjoint. But 
this renaming destroys termination. Consider for instance the formulae p{a) and 
\X]-^p{X) \/ p{f{X)). With simplification and renaming of universal variables, it 
is possible to consecutively deduce 

[Xi]p{f{a)) < W = a 
[X,,X2]p{f{f{a])) « W = a&^2 = /(a) 
[W,^2W3M/(/(/(a)))) « = «&X2 = /(«) &X3 = /(/(a)) 

etc. 

This means, that in general simplification and 7 instantiation need to be in- 
terleaved to retain fairness. As the rule without renaming obviously 

enjoys the finiteness property, one might alternatively interleave renaming and 
7 instantiation, but that would amount to ignoring universality for most of the 
time. 

It is interesting to note that there are many problems, Schubert’s ‘Steam- 
roller’ [18] being a particularly prominent example, in which simplification with 
universal variables actually does terminate. This is true, in particular, when 
some simplification strategy, like the hyper strategy discussed in the next sec- 
tion is used, which does not apply arbitrary simplification steps. To handle such 
cases efficiently, it is advisable to equip a proof procedure with some sort of 
cycle detection that only interleaves simplifier applications with 7 rules, if they 
threaten to lead to infinite simplification sequences. One possibility is to set 
a limit to the size of inferred formulae, which can be incrementally increased as 
the tableau is expanded. This would always allow rule applications which really 
simplify a formula in the sense of making it smaller. 

The ‘simplifiable subformula’ condition could be relaxed to permit, e.g. the simpli- 
hcation of 3y.p{y) with [X].p{X), but this becomes rather technical, so we won’t do 
it in this paper. 
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6 Simplification Strategies 

Although we have identified cases in which we can discard the original formula 
in a simplification step, we should not forget that this is not possible in general. 
With the simp'^'^ and simp‘^'^^ rules, we can at least strengthen the constraint 
of the original formula, but this does not change the fact that our so-called 
simplification rule actually makes branches larger in most cases. The reason of 
using the name simplification is the analogy to the ground and propositional 
simplification rules which our first-order version subsumes. 

In order for the simplification rules to be useful in a prover, one needs a sim- 
plification strategy, that is a strategy that prescribes when to apply which kinds 
of simplification steps. 

We claimed in the introduction that our simplification rules are capable of 
simulating first-order versions of various refinements, including hyper tableaux, 
and regularity. We have yet to show that this has been achieved. In this section, 
we shall describe a simplification strategy that implements a non-clausal ana- 
logue of hyper tableaux. The details of this strategy and corresponding proofs 
can be found in [11]. In that work, there is also a description of how the sim- 
plification rules may be used to introduce a first order, non-clausal version of 
regularity. 

Hyper tableaux are defined for problems stated in clause normal form (CNF), 
see [12, 2]. For clause tableaux, it is customary not to include the clauses in the 
tableau itself. Instead, one only uses the literals which result from expanding the 
tableau with a clause. Hyper tableaux permit an expansion with a clause only if 
all new branches which receive negative^ literals of the clause are immediately 
closed. All inner leaves are thus positive literals. 

Alternatively, one can take the view of interpreting the clauses as tableau 
expansion rules themselves. In this view, a clause is ‘fired’ if there is a positive 
literal on a branch for every negative literal of the clause. The tableau is then 
extended by one new branch for each of the positive literals of the clause. One 
usually writes clauses as implications to support this view. 

In the first-order case, one has to apply a substitution to unify the negative 
literals of the clause with corresponding positive literals on the branch. The 
way variables are handled differs between the various presentations of hyper 
tableaux. While [2] uses universal variables in branch literals where possible, 
that version of hyper tableaux does not use rigid variables. Instead, it uses 
‘purifying substitutions’ which generate ground instances of clauses if necessary. 
This happens whenever a variable is shared between two positive literals of 
a clause without occurring in any of the negative literals. A version described 
in [12] uses rigid variables in such situations, using copies of clauses to avoid 
destructive instantiation. In [20], a variant with rigid variables and constraints 
is proposed, but constraints are attached to branches instead of formulae as is 
done in our calculi. 

^ We consider positive hyper tableaux here. It is possible to exchange the roles of 
positive and negative literals, which leads to negative hyper tableaux. 
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We can define a version of first-order hyper tableaux using constrained formu- 
lae. As usual, we use rigid variables when necessary, and constraints to capture 
necessary instantiations. Here is an example of this approach: 

f 

Clause Set: I 



After putting the literal p(o, b) on the branch using the first clause, we expand the 
tableau using the second clause, where p{x, z) is instantiated with p{a, b). As the 
two branches share the new variable Y , this has to be rigid. Subsequent expansion 
of the left branch with the third clause is possible only if Y is instantiated to 
/(a). This restriction is captured in the constraint of the generated literal. 

These rigid variable, constrained formula hyper tableaux can be emulated 
using our simplification rule with universal variables and a suitable simplification 
strategy. From now on, we shall consider normal analytic tableaux again. The 
set of clauses is given as a set of universally quantified disjunctions of literals. 
The following simplification strategy then emulates hyper tableaux: 

Use simplification only to simplify any leftmost negative literals in- 
side disjunctions with positive literals occurring on the branch. Use /3- 
expansion only for disjunctions which contain no negative literals. 

With this strategy, the emulation of a hyper tableau expansion will require 
exactly one intermediate simplification step for every negative literal in the 
clause/disjunction in question. 

There is obviously not much merit in using this emulation of hyper tableaux 
in an actual implementation, if problems are given as clause sets. It would be 
simpler and more efficient to implement a rigid variable constrained formula 
hyper tableau calculus directly, instead of implementing non-clausal tableaux 
and simplification, and then restricting it to clauses. The interesting point about 
the emulation is that it suggests a way of generalizing hyper tableaux to non- 
clausal problems. We show how this works for negation normal form (NNF). 

The idea is to look at disjunctive paths (d-paths) through formulae instead of 
clauses. The set of d-paths of a formula (j), denoted dp{4>) is defined by induction 
over the structure of 4> as follows. 

— If (/) is a literal or a universally quantified formula, then dp{(f>) := {(</>)}. 

— If (/) = «i A 02 is a conjunction, then dp{4>) := dp{a\) U dp{a 2 )- 

— If (/) = /3i V /?2 is a disjunction, then dp{(j)) := {pq \ p G dp{(3i),q G dp{(32)}- 

For instance, for the formula <f> = {p A ~^p) V (g A ^q), this definition gives: 





q{a) « y = /(a) 



dp{pA^p) = {{p) , {-^p)} 
dp{qA^q) = {{q) , (^g)} 



dp{(j)) = {(p, q) , (p, ^q) , (^p, q) , (^p, 
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As d-paths correspond closely to clauses, it is not surprising that the correct 
generalization of our simplification strategy may be formulated like this: 

Use simplification only to simplify any leftmost negative literal of some 

d-path of a formula on the branch. Use /3-expansion only for disjunctions 

which have at least one d-path that does not contain a negative literal. 

For our formula </>, /3-expansion will thus be applied because of the d-path (p, q) . 
Let us call this strategy the NNF hyper tableau strategy. 

Theorem 5. The constrained variable tableau calculus with universal variables 
and the simp‘^'^^ rule is complete if restricted according to the NNF hyper tableau 
strategy. 

Proof See [11]. □ 

Sometimes, a simplification step permits discarding the original formula ip. 
In such cases, a prover using the NNF hyper tableaux strategy has an advantage 
over usual clausal hyper tableaux, even if the problem is given in clausal form: 
it can simplify the clause set while proof search is under way. Essentially, unit 
resolution between a universal branch literal and a clause is performed. For 
instance, given a literal \X]p{X) and a universal disjunction \Y]-^pY V rY , the 
latter can be destructively simplified to [UjrU for that branch. This can not 
be done in normal hyper tableaux, as these do not keep separate clause sets 
per branch. Note that these separate clause sets do not imply higher memory 
consumption, because the representation of clauses can easily be shared between 
branches in an implementation. 

The NNF hyper tableau strategy was implemented in the prototypical non- 
backtracking tableau prover PrInS [10, 11]. We are not going to list statistics 
here, as the power of hyper tableaux has previously been asserted, e.g. in [12]. 
We shall only state two results on problems found in the TPTP problem library. 

[19]. . , , 

With the given strategy, PrInS is able to solve the Steamroller problem in 
the full first order formalization PUZ031-I-1 in less than 150 ms. This used to be 
considered a hard problem for a long time, although today, no state-of-the-art 
theorem prover has difficulties with it. In particular, hyper tableaux are a good 
way of quickly finding a proof. The interesting aspect of PrInS solving PUZ031-I-1 
is that it does not use CNF transformation. To our knowledge, PrInS is the first 
non clausal theorem prover to have solved the Steamroller problem. 

The problem known as Andrews Challenge is an example for the advantage of 
not needing a clause normal form. The full first order formalization SYN036-I-2 
of that problem had a rating of 0.33 up till version 2.4.0 of the TPTP library, 
meaning that one third of the provers considered state-of-the-art were not able 
to solve it. The reason for this is that the clause normal form for this problem, if 
computed in the standard way, consists of 128 clauses of length 8. The full first 
order version in SYN036-I-2 is built from the equivalence junctor and quantifiers 
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only, and is very small. The NNF PrInS works on is of course significantly larger, 
because p ^ q has to be translated to {p V ~^q) A {^p V q). But the NNF still 
helps in keeping large parts of the formula nested below the top level operators 
which are handled first. With the NNF hyper tableaux strategy, PrInS solves 
SYN036+2 in less than 200 ms. The prover performs 488 a, (3 and 7 expansions 
and 322 simplification steps. By contrast, a simple version of PrInS without 
simplification needs 3938 rule applications and about 11 seconds for SYN036+2. 



7 Related Work 

The idea of using formulae on a branch to simplify other formulae independently 
been developed by Peltier [16]. The problem of dealing with the instantiation of 
rigid variables is solved differently however. While we use ordinary first order for- 
mulae and attach a syntactic constraint to them, Peltier intertwines constraints 
and formulae. The possibility of attaching different constraints to different parts 
of a larger formula might be an advantage of Peltier’s approach, but we have 
not investigated this. Keeping formulae and constraints apart, as we do certainly 
makes the calculus easier to understand, and easier to reason about. 

Recent work by Baumgartner and Tinelli [3] attempts to lift the unit propa- 
gation of the Davis Putnam procedure to first order logic. Their model evolution 
calculus does not use rigid variables however, and accordingly does not need 
constraints. 

8 Conclusion 

Several possibilities for a first-order version of the simplification rule of Mas- 
sacci [13, 14] were presented. Instead of globally applying unifying substitutions, 
syntactic constraints are used. Besides soundness and completeness, a finiteness 
property is discussed, which is important for the design of fair proof procedures. 
Experimental results are quoted, which show that an efficient proof procedure 
can be implemented using non-clausal tableaux with a simplification rule. We 
refer the reader to [ 11 ] for a more precise discussion of some of the issues we 
could only mention briefly here. 

Future work includes the refinement of cyclicity tests and development of 
more goal-oriented simplification strategies than the described hyper-tableaux 
variant. 
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Abstract. In this paper we develop labelled and uniform tableau meth- 
ods for some fundamental system of propositional conditional logics. We 
consider the well-known system CE (that can be seen as a generaliza- 
tion of preferential nonmonotonic logic), and some related systems. Our 
tableau proof procedures are based on a possible-worlds structures en- 
dowed with a family of preference relations. The tableau procedure gives 
the first practical decision procedure for CE. 

1 Introduction 

Gonditional logics have a long history. They have been studied first by Lewis [21, 
22] to formalize a kind of hypothetical reasoning (if A were the case then B) 
that cannot be captured by classical logic with its material implication. More re- 
cently, they have been rediscovered in computer science and artificial intelligence 
for their potential application in a number of areas (see [5]), such as knowledge 
representation, non-monotonic reasoning, deductive databases, and natural lan- 
guage semantics. In knowledge representation, conditional logics have been used 
to reason about prototypical properties [13] , to model database update [16] , belief 
revision [3, 14], causal inference in action planning [24] and diagnosis [13]. More- 
over conditional logics can provide an axiomatic foundation of non-monotonic 
reasoning [18], as it turns out that all forms of inferences studied in the frame- 
work of non- monotonic logics are particular cases of conditional axioms [6]. The 
conditional logic CE closely corresponds to preferential logic P as defined in [18]: 
the latter coincides with the first-degree fragment of CE rational non-monotonic 
logic corresponds to CE-I-CV, and so on. 

In spite of their significance, very few proof systems have been proposed 
for conditional logics: we just mention [20, 17, 4, 2, 12, 8]. One possible reason 
of the underdevelopment of proof-methods for conditional logics is the lack of 
a universally accepted semantics for them. This is in sharp contrast, for instance, 
with modal or temporal logics which have a consolidated semantics based on 
a standard kind of Kripke structures. 

Similarly to modal logics, the semantics of conditional logics can be defined 
in terms of possible world structures. The intuition is that a conditional A => 
B is true in a world w just in case B is true in the A-worlds that are most 
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similar /most preferred/closest to w. We consider here conditional logics defined 
by a preference-based semantics. The idea is that every world w has associated 
a preference relation (in general a preorder relation) on the class of worlds. 
A conditional is true at in if i? is true in all minimal A-worlds with respect to 
the relation <„,. This semantics characterizes the basic system CE we consider 
in this paper. 

The preference semantics is related to the most popular semantics for con- 
ditional logics, namely the sphere semantics [21] and the selection function se- 
mantics [22]. The relation is investigated by Grahne [16] who has shown their 
equivalence for some systems. The preference-based semantics is also taken as 
the “official” semantics of conditional logics by Friedman and Halpern [10] with, 
however, one important difference from our setting. Our semantics, like pref- 
erential semantics of non-monotonic logics [18] embodies the limit assumption 
(corresponding to the smoothness condition in preferential semantics): every non- 
empty set of worlds has a minimal element with respect to each preorder relation 
<x- This property is not assumed in [10]. 

The selection function semantics is the most general one and it is suitable 
for all systems. Proof systems have been developed for the minimal normal con- 
ditional logic CK and some extensions of it, based on the selection function 
semantics [23]. For other stronger logics, such as CEand its main extensions) 
the selection function is not adequate to the purpose of developing a proof sys- 
tem, as there seem to be no way of expressing the specific semantic conditions on 
the selection function by analytic rules. On the other hand the sphere semantics 
seems imwarrantly complex to develop proof systems and it does not work for 
the basic system CE. 

In this work we propose a labelled tableau caclulus for CE and some of its 
extension. As far as we know this is the first tableau calculus for this logic. 
Explicit or labelled proof systems have been provided for a wide range of modal 
and substructural logics and go back at least to Fitting’s tableaux for modal 
logics [9] . A systematic development of labelled proof systems has been proposed 
in [25] and [11]. However the development of this kind of proof systems for 
conditional logics, with the exception of [2] and [1] is still unexplored. 

Outline of the paper: in section 2 we introduce some background on condi- 
tional logic CE. In section 3, we present a tableau procedure for CE. In section 
4, we prove its soundness, completeness, and we show how to make it termi- 
nating. In section 5, we present some extensions of it. Finally, in section 6 we 
discuss some related approaches. 

2 Background 

We consider a propositional language L over a set of propositional variables 
ATM. Formulas of L are built from propositional variables by means of the 
connectives A, T, =>; the last one is the conditional operator. 

Definition 1 (Semantic of CE). A model M has the form {W^{<x]x£WtI), 
where W is a non-empty set (of worlds), and I is a function W —>■ Pow(ATM), 
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and {<x}xew is a family of relation on W for each element x G W . For S 
we define 

Minx{S) = {a € S \ \/b € S{b <x a a <x b}. 

We say that Minx{S) is the set of <x -minimal elements of S. 

We assume the following facts, for every x G W: (1) <x is a reflexive and 
transitive relation on W, (2) for every non-empty S C W, Minx(S) ^ 0. We 
define the truth conditions of formulas wrt. worlds in a model M , by the relation 
M, X \= (j), as follows: 

1. M,x \= p, for p atomic, if p G I{x), 

2. M,x ^ _L, 

3. M, X 1= -10 if M, X ^ 4>, 

4- M, X \= (j) Atp if M, X \= 4> and M, x \= tp. 

5. M, X \= (f> ^ tp if for all y G Minx{(p), M, y \= tp, where Minx{(p) stands for 
Miuxiiy ^W\M,y\=(p}). 

We say that <p is valid in M if M,x |= (p for every x G W. We say that (p is 
CE-valid if it is valid in every model. 

We can also define the strict relation y <x z iS y <x zA~i{z <x y). Observe that 

Minx{S) = {a G S' I ^3b G S b <x a}. The set of valid formulas according to 

the previous semantics is axiomatized by considering the following axioms and 
rules. 

Definition 2 (Axiom System CE). The system CE is defined by 

(TAUT) All classical tautologies and the Modus Ponens rule. 

(ID ) (p^ (p 

( CA) (0 ^ x) A (0 ^ x) ^ (0 V 0 ^ X) 

( CSO) (0 ^ 0) A (0 ^ 0) ^ (0 ^ x) ^ (V' ^ x) 

(AO) (^0 ^ _L) ^ 0 
(Al) (-10 _L) ^ “'(“'0 => -L) _L 

(A2) ^(0 ^ _L) ^ (0 ^ _L) ^ _L 
(RCEA) i/ h 0 0 then h (0 => x) (0 x) 

(RCK) i/ h (01 A . . . A 0„) ^ X then h (0 ^ 0i A . . . A 0 => 0„) ^ (0 ^ x) 

An alternative axiomatization of CE is given by replacing (CSO) with the fol- 
lowing axiom: (AC) (0 => 0) A (0 x) ^ (0 X 0)- Observe that another 
well known axiom (RT) (0 A x =1^ 0) A (0 x) ^ (0 0) is derivable in CE. 

All CE axioms (except (A0),(A1) and (A2)) correspond to well-known prop- 
erties of nonomonotonic systems: (AC) is called cumulativity, (RT) is called 
non-monotonic cut [18]. More precisely, the first-degree fragment of this logic 
corresponds to preferential logic P. To understand axioms (AO), (Al) and (A2), 
define the “internal” modality operator DA as ^A ^ T, then (AO), (Al) and 
(A2) are nothing more than the usual S5-axioms and encode the assumption 
that each relation <a, ranges on the same set of worlds^ 



^ These axioms corresponds to Uniformity Property in [10, 16]. 
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Theorem 1 (Soundness and Completeness, [10, 16]). A formula 4> is CE- 
valid iff it is derivable in CE. 

In section 5, we shall present some extensions of CE. 



3 Tableau Calculus for CE 

In order to develop a tableau calculus for CE, we extend the language by a kind 
of hybrid formulas. Given a model M = (IT, {<x}x<^w, -f), we introduce pseudo- 
formulas of the form ^x4'^ for every formula (f and world x G W, whose meaning 
is defined by stipulating: 

M,y \= 0^(() iff for every z & W ii z <xy then M,z\= 4>. 

Observe that for any formula 4>, we have: 
y e Minx{,4>) M , y \= (f f\ 

The use of modal formulas to interpret the semantics of conditionals is not new. 
Boutilier [3] introduces a bi-modal logic to define some conditional logics strongly 
related to CE and CV. However, there are two important differences: first in his 
semantics there is only one modality, rather than a family of modal operators 
indexed on worlds. For this reason his logic is unable to represent nested condi- 
tionals properly (/3 7 implies a (/3 7)). As a second difference he does 

not accept the limit assumption, and thus has to change the truth definition of 
conditionals as Lewis [21] and Halpern and Friedman [10]. 

We use modal-pseudo formulas to give tableau rules for conditional logic CE. 
The tableau formulas are of the following kinds: (a) x : (f, where is a formula 
or a pseudo-formula; (b) x <y z. 

A branch is a set of tableau formulas. Given a branch B, we denote by Wb 
the set of labels occurring in B. Figure 1 contains the tableau rules. 

A branch is closed if it contains both x : (j) and x : ->(/), or it contains x : _L. 
A tableau is closed if every branch is closed. A non-closed branch is called open. 
We say that a formula 4> is T-provable if the tableau for x : -^cf> is closed. 

The rules do not need an explanation being a direct encoding of the seman- 
tics, with perhaps the exception of (ED) rule. This rule takes into account the 
minimality requisite imposed by the limit assumption: if y ^ ~^^xOt then we 
conclude that there is a minimal smaller z <x y such that 2 |= ~^a. This rule 
does the same job as the corresponding rule (due to Fitting [9]) for modal system 
G, the extension of K4 by Lob axiom □(□« ^ a) ^ Ua. 

Example 1. We show that (GSO) {(f ^ if) A {tp ^ (f) ^ {cf ^ x) = ^ x) is 

valid. Figure 2 shows one half of the proof tree being symmetrical. 

^ We could go further and try to define the translation of a conditional as something 
like: M,x \= f ^ ip iS M,x |= [U]((0A ip), where [U] represents the 

universal modality. We are grateful to one of the referees for this suggestion. However, 
given the presence of the modality containing a world index, the above one 
cannot work as a pure syntactic translation. 
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(TA) 


X :<f) Atp 
X : <j) 


(FA) 


X : -'(0 A Ip) 


X : rp 
x\ <py \p 


X \ -y(p 1 X : ->rp 
X : ->(<p V Ip) 






(TV) 


(FV) 


X : -10 


X :<f> 1 x: rp 


X : -10 




X : (p \p 




I : -.(0 rp) 


(T^) 


(F -^) 


X : 0 


X :-*(p 1 X : tp 


X : -yip 


{NEG) 


X : ->-'Xp 








X : ij! 




x:~i<P^ Ip) 




X : Ip 


(F =>)(**) 


y ■■ <t> 
y ■ Ox^(p 


1 \y:tl) 


y: -'V> 


(TD)(.) 


z : Oj.(p 
y<x z 

y<t> 


(FD)(«) 


z : -Ox<p 
y <x 2 

y: -"A 

y : Ox4> 


(Tram) 


y <T z 

Z <x u 

y<xU 







(*) y Is a label occurring in the branch. 

(**) y is a new label not occurring in the branch. 



Fig. 1. Tableau rules for CE 

4 Soundness, Completeness, and Termination for CE 

In order to prove soundness and completeness, we need to define the notion 
of satisfiability of a branch. Let M = {W^{<x]x^WtI) be a model. Given 
a branch B, we say that / : Wb ^ IF is a CE-mapping if for every y z G B, 
fiy) <f{x) f{z) holds in M. 

Definition 3. Given a branch B of a tableau, a model M, and a (CE)- 
mapping f from Wb to W , we say that B is satisfiable under f in M if the 
following holds: 

1. if X : (j) £ B then M, /(x) |= 4>, 

2. if X \ -i(f> G B then M, f{x) ^ </>, 

where cf is a conditional formula or a pseudo-formula. 

B is satisfiable if it is satisfiable in some model M under some mapping /. 
A tableau is satisfiable if one of its branches is satisfiable. 
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X : (f>=> if) 

X :yp=^ (f) 

l:0=>X 
I : -'(V> => X) 

y-<P 

V ■■ 




X 

Fig. 2. Proof tree illustrating the proof of CSO 




In order to show that the tableaux rules only prove correct formulas, we 
first show that they preserve satisfiability. The proof of Proposition 1 is in the 
Appendix. 

Proposition 1. Let T he a satisfiable tableau and let T' he obtained from T 
by applying one of the rules given for CE in the table above. Then T' is also 
satisfiable. 

Theorem 2 (Soundness). If (f is provable then it is valid. 

Proof. Suppose that 4> is not valid, then is satisfiable in a model M, thus 
the tableau beginning with x : -></> is satisfiable. By the previous lemma any 
expansion of the tableau will contain a satisfiable branch B] B cannot be closed, 
for otherwise we would have z : tp, z \ ->'0 G B (for some formula if) or z : 
-L G B, whence M, f{z) \= tp and M, f{z) \= -^tp, or M, f{z) ^ _L, and we get 
a contradiction. 

4. 1 Termination 

The tableau calculus given in figure 1 is non-terminating due to repeated appli- 
cations of the rules {F =J>) and (ED), which may generate infinite labels. For 
instance, the tableau construction for the formula a: : T => ^(T p) can pro- 
duce an infinite branch (containing a; : ^(T p), p : T, j/ : Dx^P, y ■ ~^P, 

y : ^(T p), and so on). In the following we will show that, under the simple 

assumption that there are no redundant applications of the tableau rules, we can 
define a systematic procedure to build a tableau which terminates by introducing 
suitable restrictions on the applications of the {F =J>) and (ED) rules. 
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We first define redundant applications of a rule as follows. 

Redundant application of a rule. Let i? be a tableau branch, let R be a tableau 
rule applied to B, which produces the extensions of B, Bi, . . . , Bk (with k < 
3), then the application of R is redundant if for some i, Bi = B (as a set of 
labelled formulas) . It is easy to see that a branch B can be extended to a closed 
branch just in case it can be extended to a closed branch without any redundant 
application of the rules. 

In the following we assume that the tableau construction does not contain 
redundant applications of the rules. In particular, we assume the following re- 
striction on the (T rule: 

(RIC): Apply (T =l>) exactly once to each formula with each parameter from 
the branch. 

The reason is the following: if we apply it twice on a branch with the same 
parameter, the second application is redundant. Additionally, we assume that 
a branch does not contain repetitions of labelled formulas: labelled formulas 
which are already on the branch are not added again when applying new rules. 

In the completeness proof of the calculus, we shall prove that there cannot 
be infinite descending chains of labels related by the same order relation 
(such as t/i <x Uo, ■ ■ ., Ui+i <x Hi, ■ ■ •)■ However, we cannot exclude that there 
is an infinite branching of the form xq <x z, x\ <x z, X2 <x z... Similarly, we 
cannot exclude that there are infinite descending chains of the form yi <x^ yo, 

. . . , j/i+i <xi yi, ■ ■ ., when x\, . . .Xi, . . . are not forced to be the same label. In 
general, the tableau construction could produce infinite sequences of labels by 
repeatedly generating new labels, with the (AD) and {F rules, and then 
applying the (T rule to the new labels. In order to avoid the generation of 
infinite branches, we introduce a systematic procedure to build a tableau and 
we put suitable restrictions on the applications of the {F =>) and (AD) rules. 
We show that the systematic procedure terminates, whence it does not lead to 
generate infinitely many labels. Moreover, we show that the completeness of the 
calculus is not lost if we adopt the systematic procedure with the mentioned 
restrictions. 

Consider the following systematic procedure for constructing the tableau for 
a given formula x : a. The procedure executes repeatedly two steps: (step a) 
applies the propositional rules and the (T ^), (TD) and {Trans) rules as far 
as possible; (step b) applies the rules (AD) and {F =J>) to the new formulas 
generated in the previous step. In other words, following the terminology of [15], 
in (step a) we apply the static rules, whereas in (step b) we apply the dynamic 
rules. 

The fact that (step a) terminates after a finite number of rule applications is 
obvious, as no new world is generated in that step. After (step a) is terminated 
the branch is downward saturated except for the formulas of the form w : ->((/) 

Ip) and w : Moreover, for each label z currently on the branch, the only 

way to add new formulas with that label is through the application of the (T =J>) 
rule. In fact, if a new labelled conditional j/ : 7 <5 appears on the branch, the 

(T =^) rule can be applied on that conditional with all the previous labels as 



Laura Giordano et al. 



parameters (including z). In (step b) we apply the rule (F to all the formulas 
y : ^(7 (5) on the branch and rule (-FD) to all the formulas y : ^0^7 on the 

branch, where y must be a label generated in the previous (step a). 

To avoid that (step a) and (step b) in the systematic procedure repeat forever, 
by continuing to generate new worlds, we put the following restrictions on the 
application of the rules {F =>) and (-FD), which are essentially loop checking 
conditions. 



(Restriction 1) the rule {F =>) can be applied to the formula y : ^(7 => 5) on 
a branch only if there is no label z on the branch such that: 

(la) the branch contains the formula z : - 1(7 <5) and the rule {F =J>) has 

already been applied to that formula; 

(lb) the positive conditional formulas labelled by y are a subset of the positive 
conditional formulas labelled by z. 

The idea behind (Restriction 1) is that applying the rule {F =^) to y : ^(7 
S) cannot add anything more on the branch than what has been obtained by 
applying it to z : ^(7 (5), if all the positive conditional formulas that hold at y 

also hold at z. In such a case we can avoid to generate a new label y' from y. 



(Restriction 2) the rule (F"n) can be applied to the formula y : on 

a branch only if we cannot find two labels z and w on the branch such that: 

(2a) the branch contains a formula z : and the rule (FO) has already 

been applied to that formula; 

( 2 b) the positive conditional formulas labelled by x on the branch are a subset 
of the positive conditional formulas labelled by w; 

( 2 c) for each (positive) modal pseudo-formula yi : occurring on the branch, 

such that either yi = y holds or y <x yi occurs on the branch, there is 
a (positive) modal pseudo-formula zi : Duif/f on the branch, such that 
either zi = z holds or z Zi occurs on the branch. 

The idea behind (Restriction 2) is that applying the rule (FD) to y : ^0^7 
cannot add anything more on the branch than what has been obtained by ap- 
plying it to z : under the assumptions that: all the positive conditional 

formulas that hold at x also hold at w; and all the positive modal pseudo-formulas 
on the branch that would be applicable to the world y' generated from j/, can 
also be applied to the world z' generated from z. 

The systematic procedure with the two restrictions preserves completeness. 

Lemma 1. If a branch B closes, it still closes under (Restriction 1) 

Lemma 2. If a branch B closes, it still closes under (Restriction 2) 

The proofs of the lemmas are in the Appendix. 
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Theorem 3. The systematic procedure with (Restriction 1) and (Restriction 2) 
terminates. 

Proof. Let us suppose that a systematic attempt at proving a formula goes 
forever. Then, there must be an infinite branch S containing infinitely many 
different labels because it does not contain repetitions and only a finite number 
of formulas can appear in the tableau (by the subformula property). 

The branch must either contain infinitely many applications of the rule (F =l>) 
to a formula ^p) or infinitely many applications of the rule (FO) to 

a formula (or both). 

For the first case, it is not possible to apply rule {F =l>) infinitely many times 
to the same formula -^{(p ip) without violating (Restriction 1). To see this, 
each time the rule is applied to y : ~^{(p => ip), by (Restriction 1) for all possible 
z : -i{(p => Ip) on the branch there is some positive conditional formulas labelled 
by y that is not labelled by z. This is not possible, since by the subformula 
property there is only a finite number of positive conditionals. 

For the second case, it is not possible to apply the rule (F'D) infinitely many 
times to the same formula without violating (Restriction 2). In fact, each 

time the rule (FD) is applied to y : by (Restriction 2) for all possible 

2 : on the branch: either there is some positive conditional formula labelled 

by X that is not labelled by w (but this cannot occur an infinite number of times 
for the reasons above) or there is a (positive) modal pseudo-formula yi : □a,a 
occurring on the branch such that either yi = y holds y <x yi and there is no 
corresponding Z\ : on the branch, such that either z\ = z holds or z <yj z\ 

occurs on the branch. This second condition says, in essence, that a formula \TixOi 
must hold at y while it does not hold at the worlds z such that the (F'n) rule 
has already been applied to z : As the number of formulas a which may 

occur in the tableau is finite (note that a cannot contain modalities), also this 
condition cannot be true for an infinite number of times. 



4.2 Completeness 

To prove completeness we restrict our attention to tableaux which can be gen- 
erated starting from an input formula ip. 

We first show that no tableau may contain infinite descending chains of labels 
related by the same relation <x, provided it does not contain an infinite number 
of labeled conditional formulas with the same label. This is of course true if 
tableaux start with a finite number of formulas. It is interesting to notice that 
this holds independently from the Restrictions 1 and 2 we have put to ensure 
termination. 

Lemma 3. Let B be a branch of a tableau containing only a finite number of 
positive conditional formulas x : <po ^ ipo, x : <pi ^ ipi, x : (p2 ^ 4’2, ■■■, 
X : 4>n-i ipn-i- Then B does not contain an infinite descending chain of 
labels yi <x yo, 2/2 <x yi, ■■■, Vi+i <x Vi, ■ ■ ■■ 
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Proof. Let B contain a descending chain of labels yi <x yo, 2/2 <x yi, 

. . . , 2 /i+i <x Vi- This chain comes from the successive application of (T 
and (fn) to formulas x \ (ft ^ tfi ior Q < i < n. B then contains the following 
formulas for (0 < i < n): yi : yi+i <x yi, yi+i : (fi, yt+i : Ox^cfi. 

Here (T =>) has been applied to every formula x : (fi ^ ipi once and with 
parameter yi previously (and newly) generated by {FO) from yt-i : ^Ox—xpi-i. 
The only way to make the chain longer is by applying (T =^) a second time to one 
of the positive conditional formulas labelled x on B. Let this formula he x : (fk ^ 
ifk where 0 < k < n. According to the restriction (RIG), k ^ i. Then B contains 
further y^+i '■ f'k (together with ?/„ : -^Ux^cfk, 2/n+i <x yn, 2/n+i : ^x~^(fk)- 

By the transitivity rule, we get 2/n+i <x 2/fc+i- Moreover, B contains 
also 2/fc+i • ^x~'4’k, from which we obtain by (TD) ?/n+i : ~'4>k which closes 
the branch. 

Definition 4. We say that a branch B of a tableau is regular if whenever z <x 
y € B we have (i) y <x z ^ B, (ii) y ^ z. We say that a tableau is regular if 
every branch is regular. 

Lemma 4. Let T be a tableau beginning with x : (f>. Any expansion of T is 
regular. 

Proof. Given a branch B we prove something stronger, namely that the claim 
holds for the transitive closure CT{B) of B wrt. <x. Proceeding by induction on 
the expansion of B, we show that, if the property holds for B, then it holds also 
for any B' obtained from B by the application of any rule. All cases, except (FD) 
are trivial as CT(B') = CT{B). Suppose that B' is obtained by expanding B 
on u : ^OyX, then CT(B') = CT{B U {w <y u}) = CT{B) U {re <y u} U {w <„ 
z \ u <y z £ CT{B)}, where w does not occur in B. We leave to the reader to 
check that for any a <yb £ CT(B') it must he b <y a ^ B' and b ^ a. 

Given a conditional language £, let i? be a branch. The notion of saturated 
branch that will be defined below expresses that all tableaux rules which could 
be applied to the branch have been applied to it. 

Definition 5. A branch B is saturated if 

1. If x : (f> A ip £ B then x \ cp £ B and x : ip £ B. 

2. If X : Alp) £ B then either x : £ B or x : -'ip £ B. 

3. If X : -1-10 £ B then x : p £ B. 

4 . If X : {p ^ Ip) £ B then for any label y £ Wb, either y : ~^p £ B or 

y : £ B or y \ p £ B. 

5. If X : ~^{p ^ p) £ B then there is a label y such that y : p £ B and 
y : -Ip £ B and y : Ox^P £ B. 

6. If y '. Oxp £ B and z <x y £ B then z : p £ B. 

7. If y '. ~^^xP £ B then there is a label z such that z <x y £ B and z : —ip £ B 
and z : Oxp £ B. 
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We show that a saturated, open, regular branch B is satisfiable. To this 
purpose, we define the canonical model for B, which will satisfy all formulas on 
the branch. 

Let Me = {W, {Qx}xew, I), where: 1)W= Wb\ 2) For each x € W, y Qx z 
m y <x z & B or y = z] i) For each x S W, I(x) = {p j p G ATM and 
w : p G B}. 

Lemma 5. Let B be an open, saturated, regular, braneh which, for every la- 
bel x G Wb, contains only a finite number of positive conditional formulas. 
Then Me is a model. 

Proof. We show the following facts: 

1. Cj, is a reflexive and transitive relation on W. Obvious. 

2. Let z GLx y iff 2 E 2/ and not y Qx z. Then we have: z \Zx y iff z: <x y G B. 
Suppose that z tZx y. Then we have z Ox y and not y Ex z. From the first 
inequality we get z <x y G B or y = z and from ‘not y Ex z\ we get y ^ z, 
thus it must he z <x y G B. Conversely, let z <x y G B, we have z Ex y- 
Suppose that also y Ex z, then we would have either z = y or y <x z G B, 
against the fact that B is regular. 

3. Let SOW and S' fy 0 , then Minx{S) fy 0 . Suppose Minx{S) = 0 ; let y\ G 
S fy 0 . There must be an infinite descending chain of elements of S yn+i Ox 
yn Ox . ■ . Ox yi • By the previous fact we have that the infinite decreasing 
sequence yn+i <x Vn <x ■ ■ ■ <x yi G B. By lemma 3 we have a contradiction. 

We now show that B is satisfiable by Me. 

Lemma 6. Let B be an open, saturated, regular, branch which, for every label 
X G Wb, contains only a finite number of positive conditional formulas with 
label X. Then B is satisfiable. 

Proof. We consider the canonical model Me for B. Then obviously, the identity 
id{x) = X is a (CE)-mapping by the construction of Me. We show that B is 
satisfiable by Me under id. We show by induction over the formulas that Me 
satisfies all formulas and pseudo-formulas in B. 

— The case of atomic formulas and boolean combination of formulas is easy 
and left to the reader. 

— Let X : (j) ^ Ip G B and y G Wb. Then either (i) y : G B or (ii) 

y : G B, or (iii) y : tp G B. If (i) by the induction hypothesis, we 

have Me,y fy 4>, thus y ^ Minx{<p). If (ii) there is a label z such that 
-2 <x y G B and z \ (p G B. By the previous lemma we have z Ox y and 
by the induction hypothesis Me,z |= (p, thus y ^ Miux{(p). If (iii) by the 
induction hypothesis we get Me, y\= ip. We have shown that if y G Minx{<p) 
then Me, y \= ip. 

— Let X : -'{(p ^ Ip) G B. Then there is y such that y ■. <p G B and y : □x~'(/' G B 
and y : -'ip G B. Then Me,y |= (p and Me,y |= -'ip by the induction 
hypothesis. We show that y G Miux{(p). Suppose that this is not the case; 
since Me,y |= <p, there is z IZx y and M,z \= (p. By the previous lemma. 
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we have z <x y € B and by saturation z : G B] by induction hypothesis 

we would have Mc,z ^ (j>, a contradiction. Therefore y G Minxifl)): which 
proves M,y \= ->(</) tp). 

— Let y : G B and u G IT and v \Zx y- By the previous lemma v <x y & B. 

From this it follows v : <p £ B, whence Me, v \= cj>. 

— Let y : -^^x<t> G B. Then there is a label 2 such that z <x y & B and 

2: : -> 4 > G B and z : G B. From this we obtain that there is 2; G VF 

and 2: rix y (by the previous lemma) and Me, z ^ “■</>, from which it follows 
that Me,y |= ~^Ox(j). 

Theorem 4. If a formula (p is CE-valid then cp is T -provable. 

Proof. Suppose that p is not T-provable. Then the tableau starting with x : 
contains some open, regular, saturated branch B. Since p is finite, B contains 
only a finite number of positive conditionals with the same label. Thus we can 
construct the canonical model Me. By lemma 6, Me,x |= ~'p. Thus p cannot 
be valid. 

5 Extensions of CE 

The tableau method introduced in the previous section can be extended in order 
to deal with extensions of CE defined by combinations of the following semantic 
properties (and corresponding axioms): 



(CV) 


y <x zW z <x y (connectedness) 








(CS) 


y<xX- 


~^y = x 




p Ap — 


> {P^-P) 


(MP) 


y <x X - 


X <xy 




{{p Ap) 


(CEM) 


y^ 


^ y <x zV z <x y 



{P ^ 4>) \/ {p ^ -i'0). 



Theorem 1 can be extended to show that each semantic property is captured 
by the corresponding axiom. Let S be any subset of the above conditions/axioms, 
by CE+S-validity we mean validity in the CE-models satisfying the additional 
conditions S. 

Theorem 5 ([10, 16]). A formula p is CEl-S valid iff it is derivable in CE plus 
axioms S. 

As an example, we consider the combinations: CE+MP, CE+CV, 
CE+MP+CV+CS. 

In the extended tableau systems we have new kinds of tableau formulas, 
namely: y <x z and y = z. Hence, we need to change the closure conditions 
accordingly. Thus, for the extensions of CE, we say that a branch closes if it 
contains one of the following combinations : (i) x : ^ and x : -<p, or x :T; (ii) 
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X = y, X : 4>, y : -></); (iii) y <x z G B and u <y w G B for y = w, z = u and 
X = V. A tableau is closed if every branch is closed. The rules we need are the 
following. We write to denote either <x or <x 

y <x z Z<xU y = z z = u 

(GenTrans) y <xU {Trans =) y = u 

y = x 

{Symm =) x = y 

where \i y <x u \s y <x u then either y <x z is y <x z or z <x u is z <x u. 

y <xX 

{Conn) y<xz\z<xy {MB) x : _L 

y <x X 

{CS) 

We obtain the systems above by adding the above rules to those of CE as 
follows 

— CE-bMP: (MP) 

— CE-bCV: (GenTrans), (Conn) 

— CE-bMP-bCV-l-CS: (GenTrans), (Conn), (Trans=), (Symm=), (MP),(CS) 

In order to show that the rules for the extensions of CE are complete, we 
need to extend the notion of saturated branch as follows. 

Definition 6. We say that a branch is 

— saturated with respect to CE -/-MP if it satisfies Definition 5 and whenever 
y <x X G B, then also x :TS B 

— saturated with respect to CE-/-CP if it satisfies Definition 5 and: 1 ) whenever 
y<xZ G B and z<xU G B, then also y<xU G B; 2) for all x,y,z G W, either 
y <x z G B or z <x y G B. 

— saturated with respect to CE+MP+CV+CS if it is saturated w.r.t. CE + CV 
and to CE-/- MP, and whenever y <x x G B, also y = x G B , and x = y G B. 

We observe that none of the rules above introduces in the tableau new labels or 
new formulas that create new labels when decomposed. From these observations, 
it follows that 

Lemma 7. Non-existence of infinite descending chains (as stated by Lemma 3) 
also holds for the extensions o/CE. 

By this fact, we can show the completeness of the systems. 

Theorem 6. — Tableaux system CE -/-MP is complete with respect to CE -/-MP 

models. 

— Tableaux system CE-hCV is complete with respect to CE-t-CV models. 

— Tableau system CE-hMP-hCV-hCS is complete with respect to CE-/-MP-/- 
CV-hCS models. 
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As far as CE+MP is concerned the proof is straightforward. As far as CE+CV 
and CE+MP+CV+CS are concerned, the construction of the canonical model 
is a bit more tricky. In particular, to cope with = in CE+MP+CS, we define W 
as a set of equivalence classes (w.r.t. =) rather than single labels. Detailed proofs 
are in the Appendix. 

6 Conclusions 

In this work we have presented a labelled calculus for CE and some of its exten- 
sions. The proof methods are uniform in the sense that each specific semantic 
condition is captured by a tableau rule. Moreover, the proof method is based on 
the introduction of pseudo-formulas, that are modalities in a hybrid language 
indexed on worlds. We have been able to obtain a terminating procedure for 
CE by performing a loop-checking. In future research we shall try to extend this 
approach to the other extensions of CE as well. Another issue that deserves 
investigation is whether transitivity is necessary for CE. It seems that this rule 
is not necessary, but we do not have conclusive evidence for it^. 

We briefly remark on some related works. De Swart [8] and Gent [12] give 
sequent/tableaux calculi for conditional logics VC (= CE-I-CV-I-MP-I-CS) and 
VCS. The kind of systems they propose are based on the entrenchment connec- 
tive <, from which the conditional operator can be defined. Their systems are 
analytic and comprise an infinite set of rules < F{n,m), with a uniform pat- 
tern, to decompose each sequent with m negative and n positive entrenchment 
formulas. 

Crocco and Farinas [4] present sequent calculi for some conditional logics 
including minmal CK, GEM, CO (= CE without CA) and others. Their calculi 
comprise two levels of sequents: principal sequents with hp corresponds to the 
basic deduction relation, whereas auxiliary sequents with \~a corresponds to the 
conditional operator: thus the constituents of T hp A are sequents of the form 
X ho V, where X, Y are sets of formulas. 

Artosi, Governatori, and Rotolo [2] develop labelled tableau for the first- 
degree fragment (i.e. without nested conditionals) of conditional logic CO (they 
call it CU and it corresponds to cumulative non-monotonic logics). Formulas 
are labelled by path of worlds containing also variable worlds. Since they adopt 
a selection function semantics, they have to cope with the problem of equiva- 
lent antecedents: i.e. if [A]^ = [A']^ then f{A,w) = f{A',w). They use an 
efficient unification procedure to propagate positive conditionals, and the uni- 
fication procedure takes care of checking the equivalence of antecedents. Their 
tableau system is not analytical, as it contains a cut-rule, called PB, which is 
not eliminable. Moreover it is not clear how to extend it to CE and stronger 
systems on the one hand, and to nested conditionals, on the other. 

® It is easy to see that the transitivity rule can be replaced by incorporating □- 
propagation in the (TD)-rule (as in standard rules for transitive modal logics). How- 
ever, this just would shift the problem on the need of the modified (TD)-rule. 
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Broda, Gabbay, Lamb, and Russo develop an elegant natural deduction sys- 
tem for Boutillier’s conditional logic of normality and some variants of it [3], [1]. 
Their proof system uses labels following the methodology of Labelled Deductive 
Systems [I], where the objects involved in the proofs are structured configura- 
tions of formulas, worlds, and relations thereof. In this respect their approach is 
rather similar to ours. However, as we already observed, Boutilier’s conditional 
logic has a simpler semantics defined in terms of standard modal logic without 
world-indexed relations or modalities (and thus it cannot handle nested and it- 
erated conditionals). Moreover, it is not evident if one can extract a decision 
procedure for Boutilier’s logic from their natural deduction system. 

Lamarre [20] presents tableaux systems for conditional logics V(= CE-I-CV), 
VN, VC and VW(= CE-I-CV-I-MP). Lamarre’s method is a consistency-checking 
procedure which tries to build a system of sphere falsifying the input formulas. 
The method makes use of a subroutine to compute the core, that is defined as 
the set of formulas characterizing the minimal sphere. The computation of the 
core needs in turn the consistency checking procedure. Thus there is a mutual 
recursive definition between the procedure for checking consistency and the one 
to compute the core. 

Gronebner and Delgrande [17] have developed a tableau method for condi- 
tional logic VN which is based on the translation of this logic into modal logic 
S4.3. 

In [23] , it is presented a labelled sequent calculus minimal normal conditional 
logic CK and some extensions of it. The calculi are based on the selection 
function semantics for these logics. In case of CK, the calculus is used to provide 
a polynomial-space complexity bound for this logic. 

Finally, complexity results for conditional logic in the neighborhood of 
CE and its extensions have been provided in [10] the results are obtained 
semantically, by arguing about the size of possible countermodels. 
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Appendix 

Proposition 1 Let T be a satisfiable tableaux and let T' be obtained from T 
by applying one of the rules given for CE in the table above. Then T' is also 
satisfiable. 

Proof. If T is a satisfiable tableau, then it contains at least one branch B which is 
satisfiable; that is there is a model M = (IP, {<x}xgw, I) and a (CE)-mapping / 
such that 1 and 2 from definition 3 hold. We will show that for each tableau rule 
applied to T, the resulting tableau T' is still satisfiable. 

(class) The case of classical connectives is easy and left to the reader. 

(T =>) Let X : 4> ^ ip G B. Then T' is T with B replaced by three new 
branches B\ = B \J {y : B 2 = B\J {y \ and B^ = B \J {y : ip}, 

li y ^ Wb, cio Bi can be closed by the new element, since B does not 
contain any element labelled y. Consider the case where y € Wb. We will 
show that at least one of these branches is satisfiable. Since B is satisfiable, 
there is a model M = (W,{<x}x<^WtI) and a (CE)-mapping / such that 
M,f(x) \= p ^ Ip. Then for all v G M,v \= ip. This is true 

iff Vn G W, (M,v ^ -■(/) or 3v’(v' <f(x) v and v' |= p) or M,v \= p. Since 
y G Wb, f(y) G W, one of the following is true: 

1 . M,f(y)^^p 

2. 3v'(v' <f(x) f(y) and v' \= p 

3. MJ(y)^P) 

In the first case, B\ is satisfiable, in the second case, i ?2 is satisfiable and in 
the third case, B^ is satisfiable. 

(F =J>) Let be x : ~'{p p) G B. Then M, f(x) \= ->(</) => p), i.e. there is n G 
(p) such that M,v \= ~^p. If rule (F is applied to x : ~^(p => p) 
on T, the resulting tableau T' is T with B replaced hy B' = B U {y \ p,y \ 
^x~'P,y ■ ~'P}, where y ^ Wb. Therefore, / is not defined for y. We define 
a new mapping /' : Wb' — > W hy f(i) = f(i) Hi y and f(y) = v. f 
is a (CE)-mapping from Wb' to W: let be w <u w' G B' . Since y is new 
on Bp u p y, w p y and w' p y and hence u G Wb, w G Wb and w' G Wb. 
Therefore, we have f'(w) < f(w'). Consider the new formulas on B' , y : 
p, y : ->p and 0,x^p. Then M, f(y) |= p, because f(y) = v G Min<^,^^^(p), 
i.e. M,v \= p and M,f(y) \= -ip. For y : O^^^p G B\ let be w; G IF and 
w <f'{x) f(y)(= v). Since v G Min<^,^^^(p), w ^ p. 

(TD) Let y : Ux^p G B and z <x y G B. After application of rule (TD), the 
resulting tableaux T' is T with B replaced hy B' = B {z ■. p} . Since B is 
satisfiable by M under /, we have that for every v <f{x) fiv), M,v \= p. 
Since z <x y G B, f(z) <f(^x) f(y)- Consequently, M,f(z) |= p, hence B' is 
also satisfiable. 



98 



Laura Giordano et al. 



(FD) Let y : G B. Since B is satisfiable by M under / and y : G B 

there is w € W and w <f{x) f{y) and M,w \= Then ^ 0 and 

therefore by the limit assumption there is u G and therefore 

M,v\= -■(/). After applying (FD), we have B' = B\j{z <x y,z : z : Ox4>}^ 

where z ^ Wb- We define a new mapping /' by f'{u) = f{u) ior u ^ z and 
f'{z) = V. Since /'(z) <f{x) f'iu), f is a (CE)-mapping. Moreover, we 
have M, f'{z) |= For z : Oxc/) G B' we have to show that whenever 
u <f'(x) f(z), M,u\= 4>. Since f{z) = v G Min(^fx){-^(l>), for all u <f(x) v, 
u y=- i.e. u\= 4>. 

Lemma 1 If a branch B closes, it still closes under (Restriction 1) 

Proof, (sketch) Assume that the application of rule (F =>) to z : => B) has 

given rise to the new world z' and added to the branch the following formulas: 

z' : A 

z' : (i) 

z' : -nB 

On the other hand, the application of rule (F =i>) to y : ^(A ^ B) would 
introduce a new world y' and would add to the branch the following formulas: 

y'-.A 
y' : Uy^A 
y'-.^B 

We want to show that there are no inferences which can be done on y' or its 
descendants and cannot be done on z' or its descendants. 

Both z' and y' are not related to other labels on the branch by the relation 
<u] (for all w). The formulas on the branch which can contribute to introduce 
new formulas with label z' on the branch are the positive conditionals, to which 
the (F =>) rule can be applied with z' as parameter. All other formulas (propo- 
sitional formulas, modal pseudo-formulas and the negative conditionals) which 
are currently on the branch with a label different from z' cannot give any con- 
tribution to introduce formulas with label z' . Among the positive conditionals 
on the branch we have to distinguish those with label 2 . Indeed, the application 
of the (T =J>) rule to a conditional z : a /3 with parameter z' introduces the 
formula z' : on the branch, which may interact with the formula (i) to 

close the branch. The same can be said for y'\ only positive conditionals on the 
branch can introduce new formulas with label y' and, in particular, the positive 
conditionals labeled with y play a special role, as they allow formulas of the form 
y' : -^Uy~.a to be added to the branch. 

As all conditionals on the branch are equally applicable to z' and y' , in 
order to be sure that y' cannot allow more inferences that z' we only have to 
require that for all those conditionals labeled with y (as y : a ^ (3) there 
is a corresponding conditional labeled with z (z : a ^ P), which is given by 
condition (lb) of (Restriction 1). 
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In order to prove the lemma, we can use the observations above as follows. 
Given a closed branch B, we can obtain from it another branch B’ by removing 
from B all the inferences {F =l>) which do not satisfy (Restriction 1) and by 
replacing all the formulas labeled by y' (the world created by the application of 
{F =!>)) and all it descendants with the corresponding formulas labeled with z' 
and its descendants (if such formulas have not already been introduced on the 
branch) . 

Lemma 2 If a branch B closes, it still closes under (Restriction 2) 

Proof, (sketch) Assume that the application of rule (AD) to z : has given 

rise to the new world z' and added to the branch the following formulas: 

Z ^ 

z' : -A 

z' : n^jA. 

On the other hand, the application of rule (AD) to y : ^n^A would introduce 
a new world y' and would add to the branch the following formulas: 

y' <x y 
y' ■■ ^A 

y' : a^A (ii). 

Observe that z' belongs to a descending <„, chain and labels a modality, 
while y' belongs to a descending chain and labels a Da, modality. The for- 
mulas on the branch that may add new formulas with label y' are the positive 
conditionals and the positive modalities. In particular a positive conditional la- 
beled with X, like x : a => /3, by the (T =J>) rule, can produce the addition to the 
branch of the formula y' : (observe that this modality may interact with 

formula (ii), y' : Da, A, that is also on the branch). On the other hand , if the 
branch contains a positive modality y\ : such that either yi \s y or y <x yi 

is on the branch (that is, t/i is on the same <x descending chain of labels as y'), 
by applying (Trans) and (TD) we can get y' : (f. 

Condition (2b) guarantees that if there is a conditional formula x : a /3 on 
the branch, which may introduce the formula y' : by (T =J>), then there 

is a corresponding formula w \ a ^ f3, which can be used to add to the branch 
the formula z' : All other labeled conditionals are equally applicable 

to y' and to z'. 

Condition (2c) guarantees that when there is a positive modal formula y\ : 
(occurring on the branch) that is in the <a,-descending chain as y' and 
which can introduce the formula <f> at y' , then there must be a similar labeled 
formula Zi : on the branch, which can introduce the formula 4> at z' 

As for all inferences which can add formulas to y' the same inferences can 
be done on z', given a closed branch B, we can obtain from it another branch 
B’ by removing from B all the inferences (AD) which do not satisfy (Restriction 
2) and by replacing all the formulas labeled by y' (the world created by the 
application of {F =J>)) and all its descendants with the corresponding formulas 
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labeled with z' and its descendants (if such formulas have not already been 
introduced on the branch). 

Theorem 6 

Proof. -Tableaux system CE-I-MP is complete with respect to CE-I-MP models. 

Let B be an open branch, saturated w.r.t. to CE-I-MP. It is enough to con- 
sider the canonical model Me used to prove the completeness of CE. Me is 
a CEmodel. Furthermore, it satisfies (MP). Indeed, let y Qx x. By construction, 
either y <x x G B or x = y. But it cannot he y <x x G B, since by MP we 
would have x :_Ls B. Hence, x = y, and by construction, y Cj, x. Reasoning by 
induction as we did for CE, we can show that B is satisfiable. 

- Tableaux system CE-I-CV is complete with respect to CE-I-CV models. 

Let i? be a branch open and saturated w.r.t. CE-I-CV. We build a canonical 
model as follows. W and I are defined as in Me, whereas Qx is defined as 
follows: y Qx z iS y <x z G B. We can easily show that is reflexive and 
transitive. Obvious. The model satisfies the limit assumption, by Lemma 7 of 
section 5. Furthermore, the model satisfies {CV)\ by (Conn), either y <x z G B 
or z <x y G B . Let y <x z G B. By definition of y \—x z. Let z <x y G B, 
by (GenTrans) we derive that z <x y G B and hence that z Ca, y. Hence, the 
model is a CE-I-CV model. Moreover, we can show that z \Zx y z <x y G B . 
Suppose that z y- We have z Qx y and not y Qx z. From the first inequality 
we get z <x y G B and from ‘not y Qx z\ we get not y <x z G B. By (Conn), 
we have that z <x y G B . Conversely, let z <x y G B. By (GenTrans) we have 
that z <x y G B and hence z Qx y- On the other hand, we cannot have that 
y <x z, since the branch is open. Therefore, y \Zx z. 

Finally, we can reason by induction as we did in the completeness of CE to 
prove that B is satisfiable by Me- 

-Tableau system CE-I-MP -l-CV-l-CS is complete with respect to CE-I-MP -|- 
CV-I-CS models. 

Let B be an open branch saturated w.r.t. CE-I-MP -l-CV-l-CS. We build the 
canonical model as follows. For all x,y G Wb, let x =m y iS. x = y G B. Notice 
that =M is an equivalence relation. Indeed: it is symmetric, by (Symm=). It 
is reflexive: by (Conn) either x <x x G B or x <x x G B. However, it cannot 
be that x <x x G B, since by (MP) we would have x :J_G B. Hence, for all 
y^, X <x X G B, and by (CS), x = x G B, hence x =m x. It is transitive, by 
(Trans=). 

We let [x] = {y : X = y G B} and W = {[w]/ =m}, the set of all the equivalence 

classes oiWs with respect to =m- 

We define /([x]) = Uyg[x]{P ' P ^ ATM and y '■ p G B}. 

Furthermore, we let [y] [z] iS y <x z G B. Notice that by (Conn) and the 

closure condition (hi), we have that if y <x z G B, x' =m x, y' =m y and 
z' =M z, then also y' <x> z' G B (otherwise by (Conn) it would be that z' y' , 
which would close the branch by condition (hi)). Hence, relation does not 
depend on the choice of the representative element, and if [x'\ = [x], [y'\ = [y], 
[z'] = [z], we have that [y] [z] iff \y'] [z']. 
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It can be shown that the model is a CE-I-MP-I-CV-I-CS model: is reflexive 

and transitive. Reflexive: as a consequence of (Conn) and (MP), we have that 
for all X G Wb, x <x x G B . Transitive: it follows immediately from (GenTrans). 
Furthermore, as we did for the other logics, we can show that if S' C LF and 
S 0, then Mirix{S) ^ 0 and that it satisfies (MP) and (CV). The model is 
thus a CE-I-MP-I-CV model. 

Last, we show that it satisfies (CS). Let [y] C[a,] [x]. By definition, y <x x G B, 
and by (CS), y = x G B. By construction of the model, y G [a:] and since [x] is 
an equivalence class, [x] = [y]. 

Reasoning by induction on the complexity of the formulas, we show that B 
is satisfiable. 
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Abstract. Logics for time intervals provide a natural framework for 
representing and reasoning about timing properties in various areas of 
computer science. However, while various tableau methods have been de- 
veloped for linear and branching time point-based temporal logics, not 
much work has been done on tableau methods for interval-based temporal 
logics. In this paper, we introduce a new, very expressive propositional 
interval temporal logic, called (Non-Strict) Branching CDT (BCDT+) 
which extends most of the propositional interval temporal logics pro- 
posed in the literature. Then, we provide BCDT"*" with a generic tableau 
method which combines features of explicit tableau methods for modal 
logics with constraint label management and the classical tableau method 
for first-order logic, and we prove its soundness and completeness. 



1 Introduction 

Logics for time intervals provide a natural framework for representing and rea- 
soning about timing properties in various areas of computer science. However, 
while various tableau methods have been developed for linear and branching 
time point-based temporal logics [17, 5, 15, 2], not much work has been done on 
tableau methods for interval-based temporal logics. One reason for this disparity 
is that operators of interval temporal logics are in many respects more difficult 
to deal with. As an example, there exist straightforward inductive definitions of 
the main operators of point-based temporal logics, such as the future operator 
and the until operator, while inductive definitions of basic interval modalities 
(consider, for instance, the one for the chop operator given in [1]) turn out to 
be more complex. 

Various propositional and first-order interval temporal logics have been pro- 
posed in the literature. In this paper we focus our attention on propositional ones. 
There are two different natural semantics for interval logics, namely, a strict one, 
which excludes point-intervals, and a non-strict one, which includes them. The 
most studied propositional interval logics are Halpern and Shoham’s Modal Logic 
of Time Intervals (HS) [9], Venema’s GDT logic [16], Moszkowski’s Propositional 
Interval Temporal Logic (PITL) [12], and Goranko, Montanari, and Sciavicco’s 
family of Propositional Neighborhood Logics VMC [8] . 
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HS features four basic operators: {B) (begin) and (E) (end), and their trans- 
poses (B) and (E). Given a formula 4> and an interval [c?o,di], (B)(1) holds at 
[dojdi] if (j) holds at [do,c^ 2 ], for some c ?2 < d\, and (E)<j) holds at [do,c^i] if 
(f> holds at [d 2 ,di], for some d 2 > do. A number of other temporal operators 
can be defined by means of the basic ones. In particular, it is possible to define 
the strict after operator (A) (and its transpose (A)) such that {A)(j) holds at 
[dojdi] if 4> holds at [d\,d 2 ] for some c ?2 > di; the non-strict after operator -(fr 
(and its transpose ffi) such that ffrf' holds at [do,di] if (j) holds at [^ 1 ,^ 2 ] for 
some d 2 > c?i; and the subinterval operator (D) such that (D)(j) holds at a given 
interval [do, di] if (f) holds at a proper subinterval of [do, d\]. 

CDT has three binary operators C (chop), D, and T, which correspond to the 
ternary interval relations occurring when an extra point is added in one of the 
three possible distinct positions with respect to the two endpoints of the current 
interval (before, between, and after), plus a modal constant tt which holds at 
a given interval if and only if it is a point-interval. PITL provides two modalities, 
namely, Q (next) and C (the specialization of the chop operator for discrete 
structures). In PITL an interval is defined as a finite or infinite sequence of states. 
Given two formulas (j), tp and an interval sq, . . . , Sn, Q)<f> holds over sq, . . . , Sn if 
and only if (f> holds over si, . . . , s „, while (pCtp holds over sq, . . . ,Sn if and only 
if there exists i, with 0 < i < n, such that (p holds over so, ■ ■ ■ ,Si and ip holds 
over Si, . . . ,Sn- Finally, propositional neighborhood logics in VAfC feature two 
modalities for right and left interval neighborhoods, namely, (A) and (A) in the 
strict semantics ( VNC~ logics), and <0r and <0/ in the non-strict semantics 
( logics). 

The main contributions of the paper are: 

(i) Introduction of a new propositional interval logic, called (Non-Strict) 
Branching GDT (BGDT+ for short), which features the same operators as GDT, 
but it is interpreted over partially ordered domains with linear intervals, and it 
is therefore expressive enough to include as subsystems or specializations all the 
above-described interval logics. 

(ii) Development of an original sound and complete tableau method for 
BGDT+, which combines features of tableau methods for modal logics with con- 
straint label management and the classical tableau method for first-order logic. 
The proposed method can be adapted to variations and subsystems of BGDT+, 
thus providing a general tableau method for propositional interval logics. 

We conclude this introduction with a brief comparison between the tableaux 
method proposed here and other existing methods for point-based and interval- 
based modal and temporal logics (see [17, 5, 10]). As a preliminary remark, 
we note that most tableau methods for modal and temporal logics are termi- 
nating tableaux for decidable logics, and thus they yield decision procedures. 
Tableau methods for modal and (point-based) temporal logics can be classified 
as explicit or implicit (see [4]). Unlike implicit tableaux, explicit ones maintain 
the accessibility relation by means of some sort of external device. In implicit 
tableaux [6, 14], the accessibility relation is built-in into the rules. In particular, 
in linear and branching time point-based temporal logics the tableau represents 



104 



Valentin Goranko et al. 



a model of the satisfiable formulas (a time-line or a tree, respectively). The 
non-standard finite model property can then be exploited to show that the re- 
sulting tableau methods are actually decision procedures (they do not lead to 
infinite computations). Explicit tableau methods have been developed for sev- 
eral modal logics. They capture the accessibility relation by means of labeled 
formulas, and they provide suitable notions of closed branches and tableaux. 
Whenever the logic is decidable, its properties can be exploited to turn the 
tableau method into a decision procedure. In this respect, the tableau method 
for BCDT+, while sharing basic features with explicit tableaux for modal logics, 
comes closer to the classical, possibly non-terminating tableau method for first- 
order logic, which only provides a semi-decision procedure for non-satisfiability. 
It also presents some similarities with the explicit tableau method developed for 
the guarded fragment of first-order logic (see [7]). 

To the best of our knowledge, there exist very few other tableau methods for 
interval temporal logics (and duration calculi) in the literature. A tableau-based 
decision procedure for an extension of Local QPITL (a decidable fragment of 
PITL extended with quantification over propositional variables, which has been 
obtained by imposing a suitable locality constraint), which, besides the chop op- 
erator C and the modal constant tt, has a projection operator proj, has been 
proposed by Kono [11] and later refined by Bowman and Thompson [1]. They 
introduce a normal form for the formulas of the resulting logic that allows them 
to exploit a classical tableau method, devoid of any mechanism for constraint 
label management. In [3], Chetcuti-Sperandio and Farinas del Cerro focus on 
a decidable fragment of Duration Calculus (DC) which encompasses a proper 
subset of DC operators, namely, A , V , and C. The tableau construction for 
the resulting logic combines application of the rules of classical tableaux with 
that of a suitable constraint resolution algorithm and it essentially depends on 
the assumption of bounded variability of the state variables. Finally, tableau sys- 
tems for the propositional and first-order Linear Temporal Logic, which employ 
a mechanism for labeling formulas with temporal constraints somewhat similar 
to ours, have been developed respectively in [15] and [2]. The main differences 
between these tableau methods and ours are: (i) they are specifically designed 
to deal with integer time structures (i.e., linear and discrete) while ours is quite 
generic; (ii) the LTL is essentially point-based, and intervals only play a sec- 
ondary role in it (viz., a formula it true on an interval if and only if it is true at 
every point in it), while in our systems intervals are primary semantic objects 
on which the truth definitions are entirely based; (iii) the closedness of a tableau 
in the cited papers is defined in terms of unsatisfiability of the associated set of 
temporal constraints, while in our system it is entirely syntactic. 



2 Non-strict Branching CDT (BCDT+) 

In this section we give syntax and semantics of BCDT+ and discuss its expressive 
power. To this end, we introduce some preliminary notions. Let D be a set of time 
points, called domain, and < be a partial order on it. A (non-strict) interval on 
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D is an ordered pair [do, di] such that do, di G D, and do < di. When do < di we 
say that the interval is proper or strict; when do = di it is a point-interval. 

As in [9], we assume intervals to be linear, that is, for every interval [do,di] 
and every pair of points d, d! belonging to it, namely, do < d < di and do < 
d' < di, d < d' or d' < d or d = d' . Such an assumption keeps the temporal 
setting still very general, while making it fitting our intuition about the na- 
ture of time [9]. A pair (D, <) is called an interval structure. An interval 
structure is: linear if every two points are comparable; discrete if every point 
with a successor/predecessor has an immediate successor/predecessor along ev- 
ery path starting from/ending at it; dense if for every pair of comparable (under 
<) points there exists another point in between; unbounded if and only if there 
are no points without successors (resp., predecessors); Dedekind complete if 
every non-empty and upward bounded set of points has a least upper bound. 
An element d € D such that there are no elements d' G D with d < d' (resp., 
d' < d) is called minimal (resp., maximal) element. 

Here we assume the non-strict semantics, but we add the modal constant tt 
( as in [16]) that is satisfied by point-intervals only, and hence enables one to 
distinguish between point-intervals and proper ones. 

2.1 BCDT+ Syntax and Semantics 

The language L+ for BCDT+ consists of a set of propositional variables AV, the 
logical connectives ^ and A , the modalities C, D, and T, and the modal constant 
7T. The other logical connectives, as well as the logical constants T (true) and T 
(false), can be defined in the usual way. BCDT+ formulas, denoted by ■ ■ •, 
are recursively defined as follows (where p G AV)'. 

(/) = 7T I p I -^<f> \ (f f\ if \ (pCtp I (fDif I (fTif. 

The semantics of BCDT+ is given in terms of non-strict models, i.e., 
based on non-strict interval structures, equipped with a valuation function 
for propositional variables. The valuation function is a mapping V : 1(D) + i— > 
where I(D)+ is the set of all intervals in D, such that, for any p G AV, p 
is true over [do, di] if and only if p G f^([do, dij). Truth over an interval [do, d{\ 
in a model M'*' is defined by induction on the structure of formulas: 

1. M+, [do, di] Ih 7T iff do = di; 

2. M+, [do, di] Ih p iff p G l^([do, dij), for all p G AV', 

3. M+, [do,di] II — Ilf iff it is not the case that M+, [do,di] Ih if; 

4. M+,[do,di] \hcf Alp iffM+,[do,di] Ih and M+,[do,di] Ih '0; 

5. M+,[do,di] Ih (fCif iff there exists d 2 G D such that do < d^ < d\, 
M+,[do,d 2 ] Ih0, and M+,[d 2 ,di] Ih 0; 

6. M+, [do, di] Ih (pDif iff there exists d 2 G D such that d 2 < do, M+, [d 2 , do] Ih 
0, and M+, [d 2 , di] Ih 0; 

7. M+, [do, di] Ih 0T0 iff there exists d 2 G D such that di < d 2 , M+, [di, d 2 ] Ih 
0, and M+, [do,d 2 ] Ih 0. 

Satisfiability and validity of BCDT+ formulas are defined in the usual way. 
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2.2 Expressive Power of BCDT+ 

Let us compare the expressive power of BCDT+ with that of the above-described 
propositional interval logics. We say that a logic Li is at least as expressive 
as a logic L 2 if for every L 2 formula there exists an equivalent Li formula, and 
that Li is (strictly) more expressive than L 2 if and only if Li is at least as 
expressive as L 2 , but not vice versa. 

We first note that both CDT and VNC'^ logics are interpreted over linear 
structures, and that the operators of VN logics can be expressed in CDT 
by means of the formulas <Or0 := (j)TT and <0/^ := (f>DT. Furthermore, it is well 
known that CDT does not semantically include HS in its full generality, since 
the latter allows the interval structure to be branching, while the former does 
not. On the other hand, HS is not more expressive than CDT, because it cannot 
express the chop operator (see [13]). 

BCDT+ generalizes Venema’s CDT (and thus propositional neighborhood 
logics in VNC^) by allowing the interval structure to be non-linear, for as 
long as all intervals in it are linear (as in HS). Furthermore, it is strictly more 
expressive than HS and PITL. HS operators can be defined in BCDT+ as follows: 
{B)cj) := (/)C^7r, {B)(j) := ^■nTcj), {E)(p := ^ttC(1>, and {E)(j) := -^irDcj). Besides, 
the strict neighborhood operators {A) and (H) can be defined in BCDT+ by 
using 7T as follows: {A)cj) := {cj) A ^tt)TT, and {A)cj) := (cj) A ^7r)DT. 

By exploiting such derived operators, all conditions on the interval structure 
mentioned in the preliminaries can be easily expressed in BCDT'*'. In particular, 
linearity can be expressed in BCDT"^ by means of the following formula: 

{A)p [A]{p V {B)p V {B)p) A {A)p [A]{p V {E)p V (E)p), 

while discreteness of linear interval structures can be imposed by means of the 
formula: 

7T V /I V {{B)ll A {E)ll), 

where 11 stands for {B)T A [H][H]T, together with the dual one. 

As for the PITL operators, C is an operator of BCDT+, while Q can be 
defined over (linear) discrete structures as follows: Q(j) := llC(j). 

The undecidability of BCDT’*' with respect to a number of interval struc- 
tures immediately follows from results in [9] , while finding meaningful decidable 
fragments of BCDT'*' is an interesting open problem. 



3 A Tableau Method for BCDT+ 

In this section we devise a tableau method for BCDT+. That method can be 
adapted to its strict version BCDT“, and can be accordingly restricted to CDT, 
HS, PITL, and VJVC logics. 

First, some basic terminology. A finite tree is a finite directed connected 
graph in which every node, apart from one (the root), has exactly one incoming 
arc. A successor of a node n is a node n' such that there is an edge from n to n'. 
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A leaf is a node with no successors; a path is a sequence of nodes no, . . . , nk 
such that, for alH = 0, . . . , fc — 1, nj+i is a successor of nj; a branch is a path 
from the root to a leaf. The height of a node n is the maximum length (number 
of edge) of a path from n to a leaf. If n, n' belong to the same branch and the 
height of n is less than or equal to the height of n', we write n ^ n'. 

Let (C, <) be a finite partial order. A labeled formula, with label in C, is 
a pair {4>, [a,Cj]), where (j) € BCDT+ and [ci,Cj] € I(C) + . 

For a node n in a tree, the decoration ^(n) is a triple ((</), [ci,Cj]),C,Un), 
where (C, <) is a finite partial order, (0, [ci, Cj]) is a labeled formula, with label 
in C, and Un is a local flag function which associates the values 0 or 1 with 
every branch B containing n. Intuitively, the value 0 for a node n with respect 
to a branch B means that n can be expanded on B. For the sake of simplicity, 
we will often assume the interval [ci-,Cj] to consist of the elements Ci < Ci+i < 
• • • < Cj, and sometimes, with a little abuse of notation, we will write C = 
{ci < Ck,Cm < Cj,. . A decorated tree is a tree in which every node has 
a decoration v{n). For every decorated tree, we define a global flag function u 
acting on pairs (node, branch through that node) as rt(n, B) = Uji(B). Sometimes, 
for convenience, we will include in the decoration of the nodes the global flag 
function instead of the local ones. For any branch i? in a decorated tree, we 
denote by Cb the ordered set in the decoration of the leaf B, and for any node 
n in a decorated tree, we denote by ^(n) the formula in its decoration. If B is 
a branch, then B ■ n denotes the result of the expansion of B with the node n 
(addition of an edge connecting the leaf of i? to n). Similarly, B ■ | . . . | Uk 

denotes the result of the expansion of B with k immediate successor nodes Ui, 
. . . ,Uk (which produces k branches extending B). A tableau for BCDT+ will 
be defined as a special decorated tree. We note again that C remains finite 
throughout the construction of the tableau. 

Definition 1. Given a decorated tree T , a branch B in T, and a node n £ B 
such that b(u) = {{(j), [ci,Cj]),C,u), with u{n ,B) = 0, the branch- expansion 
rule for B and n is defined as follows (in all the considered cases, u{n' , B') = 0 
for all new pairs (n' , B') of nodes and branches). 

— If (j) = then expand the branch to B ■ no, with vino) = ((tp, [ci,Cj\), 

Cb,u). 

— If 4> = tpo A '01, then expand the branch to B ■ no -ni, with vino) = 
(( 00 , [ci,Cj]),CB,rt) and i^(ui) = ((0i, [ci, c^-]), Cb, u). 

— If (j) = “>(00 A 0i), then expand the branch to B ■ no|ui, with vino) = 
((-• 00 , [ci,Cj]),CB,u) andu{ni) = ((-. 0 i, [c*, Cj]), C b, ■«). 

— J/0 = -i(0oC0i) and c is the least element ofC-B, with Ci < c < Cj, which has 
not been used yet to expand the node n on B, then expand the branch to B ■ 
no|ni, with ly(no) = ((-’0o, [c*, c]), Cb, u) and v{ni) = ((-.0i, [c,Cj]),Cb,m). 

— If 4> = -i(0oD0i), c is a minimal element ofCs such that c < Ci, and there 
exists c' € [c, Ci] which has not been used yet to expand the node n on B, 
then take the least such d S [c,Ci] and expand the branch to B ■ no|ni, with 
j/(no) = ((-100, [c',Ci]),CB,w) and v{n.i) = ((-.0i, [c', c^]), Cb, u). 
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— If (j) = c is a maximal element of such that Cj < c, and there 

exists d € [cj,c] which has not been used yet to expand the node n on B, 
then take the greatest such c' G [cj,c] o,nd expand the branch to i?-no|ni, so 
that J^(no) = [cj,c']),C_B,u) and vindj = [c,, c']), C_b, u). 

— If (j) = {tpoCifi), then expand the branch to B ■ {ui ■ mi)| . . . |(nj • mj)|(n- • 

m-)| . . . |(nj_j^ • where: 

1. for all Ck € [ci,Cj], v{nif) = ((t/iq, [g, C fc]), Cs, w) and v{iad) = 
[cfc,Cj]), <Cb,u); 

2. for all i < k < j — 1, let Ck be the interval structure obtained by 

inserting a new element c between Ck and Ck+i in [ci,Cj], = 

((•00, [ci,c]),Cfc,ii), and = ((i/'i, [c, Cj]), Cfe, m). 

— If 4> = (ipoDipi), then repeatedly expand the current branch, once for each 
minimal element c (where [c, q] = {c = cq < ci < ■ ■ ■ Ci\), by adding the dec- 
orated sub-tree (no-mo)| . . . |(ni-mi)|(ni-mi)| . . . |(n0mJ)|(n'Q'-m'o')| • ■ • |(n"- 
m-') to its leaf where: 

1. for all Ck such that Ck G [c,Ci], v{n]d) = ((V'o, [ck, Cj]),CB,u) and i^(nik) 

= ((01, [ck,Ci\),CB,u); 

2. for all 0 < k < i, let Ck be the interval structure obtained by in- 
serting a new element d immediately before Ck in [c, c^], and i^(n(,) 
= ((00, [c',g]), Ck,u) andiyim^J = ((0i, [d ,Cj]),Ck,u); 

3. for all 0 < k < i, let Ck be the interval structure obtained by inserting 

a new element d in Cb, with d < Ck, which is incomparable with all 
existing predecessors of Ck, 1 ^( 11 ^) = ((0o, [0, g]), Cfe, w), and = 

((01, \c' ,Cj]),Ck,u). 

— If 4> = (0oT0i), then repeatedly expand the current branch, once for each 
maximal element c (where [cj,d\ = {cj < Cj+i < ■ ■ - Cn = c\), by adding the 
decorated sub-tree (nj • nij)| . . . |(rin • mn)|(nj • nij)| . . . |(n(j_;^ • m(j_j^)|(ny • 
my)| . . . |(n" • m") to its leaf, where: 

1. for all Ck such that Ck G [cj,c], i^(nk) = ((0o, [cj,Ck]),CB,u) and i^(nik) 
= ((01, [c^,Ck]),CB,u); 

2. for all j < k < n, let Ck be the interval structure obtained by in- 
serting a new element d immediately after Ck in [cj,d\, and i^(njj.) = 
((00, [cj,c']),Cfc,u) andv{va'^) = ((0i, [cj, c']), Cfe, m); 

3. for all j < k < n, let Ck be the interval structure obtained by inserting 
a new element d in Cb, with Ck < d , which is incomparable with all 
existing successors of Ck, ^^(nk) = {(ipo,[cj,d]),Ck,u), and v(m'(f) = 
((01, [c^,d]),Ck,u). 

Finally, for any node m (0 n) in B and any branch B' extending B, let u(m, B') 
be equal to u{m.,B), and for any branch B' extending B, u(n, B') = 1, unless 
0 = -1(00(701), 0 = -i(0qZ10i), or (j) = ^(ipoT'ipi) (in such cases u(n.,B') = Q). 

Let us briefly explain the expansion rules for and -'(0oC'0i) (similar 

considerations hold for the other temporal operators) . The rule for the (existen- 
tial) formula 0oC0i deals with the two possible cases: either there exists Ck in 
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Cb such that Ci < Ck < Cj and ipo holds over [ci,Ck] and ipi holds over [cfc,Cj] 
or such an element Cfc must be added. The (universal) formula -'{tpoCipi) states 
that, for all Ci < c < Cj, i/jq does not hold over [cj,c] or tpi does not hold 
over [c, Cj]. As a matter of fact, the expansion rule imposes such a condition 
for a single element c in Cb (the least element which has not been used yet), 
and it does not change the flag (which remains equal to 0). In this way, all el- 
ements will be eventually taken into consideration, including those elements in 
between Ci and Cj that will be added to Cb in some subsequent steps of the 
tableau construction. 

Let us define now the notions of open and closed branch. We say that a node 
n in a decorated tree T is available on a branch B to which it belongs if 
and only if u(n, B) = 0. The branch-expansion rule is applicable to a node 
n on a branch B if the node is available on B and the application of the rule 
generates at least one successor node with a new labeled formula. This second 
condition is needed to avoid looping of the application of the rule on formulas 
and 

Definition 2. A branch B is closed if some of the following conditions holds: 

(i) there are two nodes n, n' £B such that i'{n) = (('0, [ci, Cj]), C, u) and v{'n!) 
= ((“I'i/’i [cijCj]), C',u) for some formula if and Ci,Cj € C fl C'; 

(ii) there is a node n such that ^(n) = ((tt, [c^, Cj]), C, u) and Ci yf Cj; or 
(Hi) there is a node n such that ^(n) = ((^tt, [ci, cy]), C, m) and Ci = Cj. 

If none of the above conditions hold, the branch is open. 

Definition 3. The branch- expansion strategy for a branch B in a decorated 
tree T is defined as follows: 

1. Apply the branch- expansion rule to a branch B only if it is open; 

2. If B is open, apply the branch- expansion rule to the closest to the root avail- 
able node in B for which the branch- expansion rule is applicable. 

Definition 4. A tableau for a given formula (f SBCDT'*' is any finite deco- 
rated tree T obtained by expanding the three-node decorated tree built up from an 
empty -decoration root and two leaves with decorations {{<f>, [cb,Ce]),{cb < Ce},u) 
and {{4>,[cb,Cb]), {cb},u), where the value of u is 0, through successive applica- 
tions of the branch- expansion strategy to the existing branches. 

It is easy to show that if (f G BCDT+, T is a tableau for (f, n gT, and C is 
the ordered set in the decoration of n, then (C, <) is an interval structure. 

Definition 5. A tableau for BCDT'*' is closed if and only if every branch in it 
is closed, otherwise it is open. 

As an example, consider the unsatisfiable BCDT'*' formula (f = pTif, where 
if = ^(T Cp). Here we show some steps of the construction of a closed tableau 
for that formula. 



The initial tableau is: 
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root 




no : ({pTtp, [co, ci]), {cq < ci}, 0) 



ni : {{pTip, [co,co]),{co},0) 



We suppose that the flag function is correctly updated during the construction. 
According to the branch-expansion strategy, by expanding no we obtain: 

no 

n2 : ((V’, [co, Cl]), {co < ci}, 0) n4 : ((i/>, [co, C 2 ]), {co < ci < C 2 }, 0) 

ns : {{p, [ci,ci]),{co < ci},0) ns : ((p, [ci,C 2 ]), {co < ci < C2},0) 

The node 112 is expanded by an application of a ~^C rule, attaching the decorated 
sub-tree 

ns 

ne : (_L, [co,co], {co < ci},0) m : (^p, [co,ci], {co < ci},0) 







to ns and the following one to each of the leaves no and n 7 : 



ne/nr 




ns/nio : (_L, [co, ci], {co <ci},0) 




ng/nii : (^p, [ci, ci], {co <ci},0) 



It is straightforward to check that all branches are closed. The remaining 
branches can be obtained in a similar way, and they are closed as well. 

3.1 Soundness and Completeness 

Definition 6. Given a set S of labeled formulas with labels in an interval struc- 
ture (C, <), we say that S is satisfiable over C if there exists a non-strict 
model M+ = (D, V) such that (D, <) is an extension of (C, <), M+, [ci, Cj] Ih if 
for all {if, [a,Cj]) G S. 

If S contains only one labeled formula, the notion of satisfiability of a (labeled) 
formula over C is equivalent to the notion of satisfiability given in Section 2. 

Theorem 1 (Soundness). If cf GBCDT+ and a tableau T for cf is closed, then 
(f is not satisfiable. 
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Proof. We will prove by induction on the height h of a node n in the tableau T 
the following claim: if every branch including n is closed, then the set S'(n) of 
all labeled formulas in the decorations of the nodes between n and the root is not 
satisfiable over C, where C is the interval structure in the decoration of n. 

If h = 0, then n is a leaf and the unique branch B containing n is closed. 
Then, either S'(n) contains both the labeled formulas {tp, [ck, ci]) and {-'tjj, [ck, c;]) 
for some BCDT+-formula tjj and Cfc,cj G C, or the labeled formula {tt , [ck , ci]) 
and Ck yf c/, or the labeled formula (^tt, [cfe,c/]) and Ck = ci. Take any model 
M+ = (D, y) where (U, <) is an extension of (C, <). In the first case, clearly 
M+,[cfc,c/] Ih ip if and only if M+,[cfc,c/] \y- -^ip. In the second (resp., third) 
case, M+, [cfc,c/] Ih tt (resp., ^tt) if and only if Ck = c/ (resp., Ck yf c/). Hence, 
S'(n) is not satisfiable over C. 

Suppose h > 0. Then either n has been generated as one of the successors, 
but not the last one, when applying the branch-expansion rule in A, C,D,T, 
or cases, or the branch-expansion rule has been applied to some 
labeled formula {ip,[ci,Cj]) G S'(n) — {^(n)} to extend the branch at n. We 
deal with the latter case. The former can be dealt with in the same way. Let 
C = {ci, . . . , c„}, be the interval structure from the decoration of n. Notice that 
every branch passing through any successor of n must be closed, so the inductive 
hypothesis applies to all successors of n. We consider the possible cases for the 
branch-expansion rule applied at n: 

— Let ip = Then there exists no such that ^(no) = ((^, [ci,Cj]),<C,u) and 

no is a successor of n. Since every branch containing n is closed, then every 
branch containing no is closed. By the inductive hypothesis, S'(no) is not 
satisfiable over C (since no A n). Since .Jo and are equivalent, S'(n) 

cannot be satisfiable over C. 

— Let = Jo A Ji. Then there are two nodes no G i? and ni G i? such 
that J/(no) = ((Jo, [ci,Cj]),C, u), i^(ni) = ((Ji, [c*, Cj]), C, m), and, without 
loss of generality, no is the successor of n and ni is the successor of no. 
Since every branch containing n is closed, then every branch containing 
ni is closed. By the inductive hypothesis, 5'(ni) is not satisfiable over C 
since ni A n. Since every model over C satisfying S'(n) must, in particular, 
satisfy (Jo A Ji, [ci, Cj]), and hence (Jo, [ci, cj]) and (Ji, [cj, Cj\), it follows that 
5'(n), S'(no), and S'(ni) are equi-satisfiable over C. Therefore, S'(n) is not 
satisfiable over C. 

— Let ^p = “'(Ji A J 2 ). Then there exist two successor nodes no and ni of n such 
that J^(no) = ((Jo, [cj,Cj]),C,Mo), J^(ni) = ((Ji, [c*, c^]), C, iti), no,ni A n. 
Since every branch containing n is closed, then every branch containing no 
and every branch containing ni is closed. By the inductive hypothesis S'(no) 
and 5'(ni) are not satisfiable over C. Since every model over C satisfying 
S'(n) must also satisfy (Jo, [c,, Cj]) or (Ji, [a, Cj]), it follows that S'(n) cannot 
be satisfiable over C. 

— Let ip = ^(Jo^Jo)- Suppose that S'(n) is satisfiable over C. Then, since 
(^(JoCJi), [ci,Cj]) G S'(n), there is a model M+ = (D, I/) such that (ID, <) 
is an extension of (C, <) and M+, [ci,Cj] II — ^(JoCJi)- So, for every Ck such 
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that Ci < Ck < Cj, we have that M+, [ci,Cfc] II — or M+, [ck,Cj] II — By 
construction, the two immediate successors of n are rii and n .2 such that, 
for an element Ck with Ci < Ck < cj, (^^q, [ci,Ck]) is in the decoration of no 
and (->^ 1 , [cfe,Cj]) is in the decoration of ni. By inductive hypothesis, since 
ni,n 2 n, S'(ni) and S'(n 2 ) are not satisfiable over C. Thus, such a model 
M+ cannot exist, and S'(n) is not satisfiable over C. 

— The cases i/' = and ijj = are analogous. 

— Let ip = Assuming that S'(n) is satisfiable over C, there is a model 

M+ = (D, V), where (D, <) is an extension of (C, <), such that M+, [a, Cj] Ih 
9 for all (0, [ci, Cj]) G <S'(n). In particular, M+, [a, d] Ih and M+, [d, cj] Ih 
for some Ci < d < Cj . Consider two cases: 

1. If d G C, then d = Cm for some Ci < Cm ^ Cj. But among the successors 

of n there are two nodes nm,nirn where = ((Co, [ci, Cm]), C, m) 

and v{xn^) = ((Ci, [c^, Cj]), C, u), and since -< n (without loss 

of generality, suppose rim ^ mm), by the inductive hypothesis ^(nm) 
= S'(n) U{(Co, [ci. Cm]), (Cl, [cm, Cj])} is not satisfiable over C, which is 
a contradiction; 

2. If d ^ C, then there is an m such that i < m < j — 1 and Cm < d < 

Cm+i- Hence, there are two successors nm,nim of n such that i^(nm) 
= ((Co,[c*,d]),CU {d},u), = ((Ci, [d, Cj]), C U {d},u), and since 

^ n (without loss of generality, suppose m(^j), by the 

inductive hypothesis S'(rim) = 5'(n) U{(Co, [ci, dj), (Ci, [d, cj])} is not sat- 
isfiable over C U {d} which, again, is a contradiction. 

Thus, in either case 5(11) is not satisfiable over C. 

— Let ifj = Co-DCi. Assuming that S'(n) is satisfiable over C, there is a model 
M+ = (D, V), where (D, <) is an extension of (C, <), such that M+, [a, Cj] Ih 
9 for all (d, [ci, Cj]) G 5'(n). In particular, M+, [d, Ci] Ih Co and M+, [d, Cj] Ih Ci 
for some d < Ci. Consider 3 cases: 

1. If d G C, then d = Cm for some Cm < c^. But between the successors 
of n there are two nodes rim, mm where i^(rim) = ((Co, [cm, Cij), C, m) 
and i^(riim) = ((Ci, [cm, c^]), C, u), and since rim, mm -< n (without loss 
of generality, suppose rim ^ mm), by the inductive hypothesis S'(rim) 
= 5 ( 11 ) U{(Co, [cm, Ci]), (Cl, [cm, Cj])} is not satisfiable over C, which is 
a contradiction. 

2. If d ^ C and there is a minimal element c G C and an index m such 

that Cm, Cm+i G [c, Ci] and Cm < d < Cm+i, then there are two successors 
rim, mm of such that = ((Co, [ci, d]), C U {d},M) and i^(mm) 

= ((Cl, [d, Cj]),CU {d},u), and since rim,mm -< n (without loss of gen- 
erality, suppose rim m^), by the inductive hypothesis S'(rim) = ‘^'(n) 
U{(Co, [ci, d]), (Cl, [d, Cj])} is not satisfiable over C U {d} which, again, is 
a contradiction. 

3. If d ^ C and there is an index m such that Cm+i G [c, Ci], d < Cm+i, 
and d is not comparable with all predecessors of Cm+i, then, again, there 
are two successor nodes rim, of n such that i^(rim) = ((Co, [ci, d]), CU 
{d},u) and i^(riim) = ((Ci, [d, c^]), C U {d},u), and since rim, mm ^ n 
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(without loss of generality, suppose ^ by the inductive hy- 

pothesis <S'(n(^) = ^(n) U{(^0 j [ci,d]), (^i, [d,Cj])} is not satisfiable over 
C U {d} which, again, is a contradiction. 

Thus, in either case S'(n) is not satisfiable over C. 

— The case of ijj = ^qT^i is similar. 

□ 

Definition 7. If Tq is the three-node tableau built up from a root with void 
decoration and two leaves decorated respectively by {{ 4 >, [cb, Ce]), {cb < Ce},0) and 
(((/), [cb,Cb]), {cb},0) for a given BCDT’*' -/ormitZa (f, the limit tableau T for (j) 
is the (possibly infinite) decorated tree obtained as follows. First, for all i, 
is the tableau obtained by the simultaneous application of the branch- expansion 
strategy to every branch in %. Then, we ignore all flags from the decorations 
of the nodes in every %. Thus, we obtain a chain by inclusion of decorated 

OO 

trees: "Ti C 72 C . . ., and we define T = [j %. 

i=0 

Notice that the chain above may stabilize at some % if it closes, or if the 
branch-expansion rule is not applicable to any of its branches. If T is a limit 
tableau, we associate with each branch B in T the interval structure Cb = 

OO 

IJ Cb, , where, for all i, Cb, is the interval structure from the decoration of 

7—0 

the leaf of the (sub-)branch Bi of B in %. The definitions of closed and open 
branches readily apply to T. 

Definition 8. A branch in a (limit) tableau is saturated if there are no nodes 
on that branch to which the branch- expansion rule is applicable on the branch. 
A (limit) tableau is saturated if every open branch in it is saturated. 

Now we will show that the set of all labeled formulas on an open branch in 
a limit tableau has the saturation properties of a Hintikka set in first-order logic. 

Lemma 1. Every limit tableau is saturated. 

Proof. Given a node n in a limit tableau T, we denote by d(n) the distance 
(number of edges) between n and the root of T. Now, given a branch B in T, 
we will prove by induction on d(n) that after every step of the expansion of that 
branch at which the branch-expansion rule becomes applicable to n (because n 
has just been introduced, or because a new point has been introduced in the 
interval structure on B) that rule is subsequently applied on B to that node. 

Suppose the inductive hypothesis holds for all nodes with distance to the root 
less than 1. Let d(n) = I and the branch-expansion rule has become applicable to 
n. If there are no nodes between the root (inch the root) and n (excl. n) to which 
the branch-expansion rule is applicable at that moment, the next application of 
the branch-expansion rule on B is to n. Otherwise, consider the closest-to-n-node 
n* between the root and n to which the branch-expansion rule is applicable or 
will become applicable on B at least once thereafter. (Such a node exists because 
there are only finitely many nodes between n and the root.) Since d(n*) < c?(n). 
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by the inductive hypothesis the branch-expansion rule has been subsequently 
applied to n*. Then the next application of the branch-expansion rule on B 
must have been to n and that completes the induction. Now, assuming that 
a branch in a limit tableau is not saturated, consider the closest to the root 
node n on that branch B to which the branch-expansion rule is applicable on 
that branch. If <?(n) is none of the cases ^C, and ^T, then the branch- 
expansion rule has become applicable to n at the step when n is introduced, and 
by the claim above, it has been subsequently applied, at which moment the node 
has become unavailable thereafter, which contradicts the assumption. Suppose 
that (p{n) =-i('0qC'0i). Then an application of the rule on B would create two 
successors with labels {-'tpo, [ci, c\) and (-■'i/'i, [c, Cj]), at least one of them new 
on B. But Ci,Cj,c have already been introduced at some (finite) step of the 
construction of B and at the first step when the three of them, as well as n, have 
appeared on the branch, the branch-expansion rule has become applicable to n, 
hence is has been subsequently applied on B and that application must have 
introduced the labels ('0o, [ci,c]) and {ipi, [c, Cj]) on B, which again contradicts 
the assumption. The same holds if <?(n) = or ^(n) = □ 

Corollary 1. Let (f> be a BCDT~^ -formula and T be the limit tableau for (f. For 
every open branch B in T, the following closure properties hold. 

— If there is a node n G B such that i^(n) = [ci, c^]), C, it), then there 

is a node tuq G B such that vfn. 0 ) = (('0, [ci, Cj]), C, uq). 

— If there is a node n G B such that v{n) = ((0o A 0i, [ci, Cj]), C, u), then 
there is a node Hq G B such that i^(no) = ((0Oi [G) c^]), C, mq) and a node 
ni G B such that J^(ni) = ((0i, [ci, Cj]), C, ui). 

— If there is a node n G B such that v{n) = ((->(00 A 0i), [cj, c^]), C, m), then 
there is a node no G B such that J^(no) = ((-100, [g, c^]), C, mq) or a node 
ni G B such that J^(ni) = ((-i0i, [ci, c^]), C, mi). 

— If there is a node n G B such that v{n) = ((0oC0i, [ci, Cj]), C, it), then, for 
some c G Cb such that Ci < c < Cj there are two nodes n' , m' G B such that 

= ((00 , [c*,c]),C,m') andiy{m.') = ((0i, [c, c^]), C', «')• 

— Similarly for every node n with <I>(n) = 0oD0i or <P(n) = 0oT0i. 

— If there is a node n G B such that v{n) = ((-i(0oC0i), [ci,Cj]),C,u), then 
for all c G Cb such that Ci < c < Cj, there is a node n' G B such 
that i^(n') = ((-100, [ci, c]), C', m') or a node m' G B such that v{m') = 
((-■ 01 , [c,Cj\),C ,u'). 

— Similarly for every node n with <F(n) = -i(0oZ?0i) or ^(m) = -i(0oT0i). 

Lemma 2. If the limit tableau for some formula 0 gBCDTA is closed, then 
some finite tableau for 0 is closed. 

Proof. Suppose the limit tableau for 0 is closed. Then every branch closes at 
some finite step of the construction and then remains finite. Since the branch- 
expansion rule always produces finitely many successors, every finite tableau is 
finitely branching, and hence so is the limit tableau. Then, by Konig’s lemma, 
the limit tableau, being a finitely branching tree with no infinite branches, must 



A General Tableau Method for Propositional Interval Temporal Logics 115 



be finite, hence its construction stabilizes at some finite stage. At that stage 
a closed tableau for cj) is constructed. □ 

Theorem 2 (Completeness). Let 4> €BCDT+ be a valid formula. Then there 
is a closed tableau for -></). 

Proof. We will show that the limit tableau T for -^(f> is closed, whence the claim 
follows by the previous lemma. 

By contraposition, suppose that T has an open branch B. Let Cb be the 
interval structure associated with B and S{B) be the set of all labeled formulas 
on B. Consider the model M+ = (Cb,C) where, for every [ci,Cj] G I(Cb)+ and 
p G AV, p G V{[ci,Cj]) iff {p, [ci,Cj]) G d>{B). We show by induction on if that, 
for every {if, [ci, Cj]) G S{B), M+, [ci,Cj] Ih if. 

We reason by induction on the complexity of if: 

— Let if = TT (resp., if = ^ tt ). Since ( tt , [ci,Cj]) G S{B) (resp., (^ tt , [ci,Cj]) G 
S{B)) and B is open, then a Cj (resp., Ci = cj). Hence M+, [ci,Cj] Ih tt 
(resp., M+, [ci,Cj] II — ^tt). 

— Let if = p or if = ~^p where p G AV. Then the claim follows by definition, 
because if {^p, [ci,Cj]) G S{B) then {p, [ci,Cj]) ^ S{B) since B is open. 

— Let if = Then by Corollary 1, (^, [ci,Cj]) G S{B), and by inductive 
hypothesis M+, [a, cj] Ih f. So M+, [a, c/] Ih 

— Let '0 = ^0 A ^ 1 . Then by Corollary 1, (^o, [g, Cj]) G S{B) and (^i, [c^, Cj]) G 
S{B). By inductive hypothesis, M+,[ci,cy] Ih and M+,[ci,Cj] Ih ^i, so 
M+, [cj, Cj] Ih if. 

— Let if = ~^{fo A fi). Then by Corollary 1, (^^o, [ci,cy]) G S{B) or (^^i, 
[ci, Cj]) G S{B). By inductive hypothesis M+, [ci,Cj] II — or M+, [ci,Cj] Ih 
^^1, so M+, [a, Cj] Ih if. 

— Let if = foC^i. Then by Corollary 1, (^o, [ci,c]) € S{B) and (^, [c,cf\) G 
S{B) for some c G <Cb such that Ci < c < Cj . Thus, by inductive hypothesis, 
M+, [d, c] Ih ^0 and M+, [c, Cj] Ih ,Ji, and thus M+, [a, Cj] Ih if. 

— Similarly for if = ^oDfi and if = foTfi. 

— Let if = ^{foCfi). Then by Corollary 1, for all c € Cb such that Ci < c < 
Cj, (^^ojcijc]) G S{B) and (^^i,[c, Cj]) G S{B). Hence, by the inductive 
hypothesis, M+, [a, c] II — and M+, [c, Cj] II — for all C{ < c < Cj. Thus, 
M+, [cj, Cj] Ih if. 

— Similarly for if = -^{^oDfi) and if = ^(ColT^i)- 

This completes the induction. In particular, we obtain that —>(f is satisfied in 
M+, which is in contradiction with the assumption that <f is valid. □ 



Concluding Remark: The main natural continuation of this work would be 
to identify cases (fragments of the logic, or classes of interval structures) when 
the tableau will terminate and therefore provide a decision procedure. 
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Abstract. The disconnection calculus since its original conception has 
been developed into one of the most successful tableau methods ever 
devised. Still, deductions in the disconnection calculus can suffer from 
redundancies inherent to the tableau framework. Even though the cal- 
culus can decide the Bernays-Schonfinkel class of formulae it is in many 
cases inferior to combinations of a grounding mechanism with a Davis- 
Putnam prover system. In this paper we address two enhancements of 
the disconnection calculus that are intended to reduce some of the redun- 
dancies typical for tableau methods. First, we investigate the use of local 
variables, a syntactically detectable form of universal variables. These 
variables can be used to relax the V-closure condition and introduce par- 
tial unification for branch closures. However, the use of such variables 
has certain ramifications we will also discuss. Then, we examine the ex- 
tended use of context lemmas during proof search by allowing the use of 
context lemmas for subsumption of new tableau clauses. We also show 
limitations to this method. Both techniques described in this paper are 
being implemented as part of the DGTP disconnection tableau prover. 



1 Introduction 

For many years, automated deduction in classical first-order logic was dom- 
inated by resolution-based systems. In the last years, however, a number of 
generally successful systems have been developed, which are belonging to the 
tableau paradigm. Because tableau deductions have a richer structure, a num- 
ber of strongly differing tableau calculi have been developed like connection 
tableaux [13, 12], hypertableaux [2], or disconnection tableaux [.5, 14, 19]. Cur- 
rently, the most powerful tableau-oriented theorem prover is the DCTP sys- 
tem [15, 18], which is based on the disconnection tableau approach. The main 
advantage of disconnection tableaux is that free variables in tableaux are not 
treated in a rigid manner as in Fitting’s free-variable tableaux [6] or in connec- 
tion tableaux. There, any free variable is just treated as a name for a single yet 
unknown (ground) term t, and free variables need to be instantiated during the 
deduction process. Since free variables in general are distributed over the entire 
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tableau, an instantiation has strong global effects. As a consequence of this de- 
structive method, a central virtue of Smullyan’s original tableau calculus is lost, 
viz., the possibility of saturating a branch up to a Hintikka set, which repre- 
sents a model. Also, the decision power of such free-variable tableau systems is 
significantly weakened. 

With the disconnection approach, this weakness is remedied, since variables 
are kept local to clauses. In fact, the approach can be viewed as the first in- 
tegration of unification into tableaux which preserves the property of branch 
saturation. For certain types of formulae, this can be exploited for model gener- 
ation [14]. Also, disconnection tableaux offer the possibility for the integration 
of a number of methods that increase the performance dramatically. Examples 
are techniques like the special treatment of unit clauses (including simplification 
and subsumption), folding up (which implements a controlled integration of the 
cut rule), and an efficient equality handling by using an equivalent of ordered 
paramodulation [1]. In summary, the disconnection approach seems to be most 
promising for future developments. 

In this paper, we concentrate on an important weakness of the current 
method concerning the treatment of variables. In certain cases, we may be able 
to deduce a clause c containing a literal I with one or more universal or local 
variables xi, . . . , x„, i.e., c is of the form (Vxi • • • x„/) V c' where c' is the rest of 
the clause. As we will demonstrate, universal variables can be treated differently 
and may permit a significant reduction of the proof length and the search space, 
in certain cases just one such clause may speed up the search by magnitudes. 

Obviously, the application of this method depends on the number of oc- 
currences of universal variables. Since in practical examples, universal variables 
occur very rarely only, we have to think about methods which support the gen- 
eration of clauses with universal variables. Fortunately, here we can observe an 
important synergetic effect of different methods. When using the methods of 
folding up and unit simplification, the number of generated universal variables 
significantly increases. 

The paper is organised as follows. Following this introduction. Section 2 de- 
fines the basic notation and describes the disconnection calculus. In Section 3 
we illustrate a fundamental weakness of the current method and show how this 
weakness can be remedied by treating universal variables appropriately. In Sec- 
tion 4 we consider the modifications that have to be made when units and the 
folding up rule are used. Then, we describe an implementation of the method 
in the system DCTP and give results of an experimental evaluation of the new 
system. We conclude with an assessment of this work and address future per- 
spectives. 



2 The Disconnection Tableau Calculus 

The disconnection tableau calculus was first developed in [.5] , the method works 
on sets of clauses. As usual, a literal is an atomic formula or a negated atomic 
formula. A clause is a disjunction of literals; occasionally, we will treat clauses 
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as sets of literals. A literal occurrence is any pair (c, /) where c is a clause, I is 
a literal, and I G c. Throughout this paper, we assume that all clauses in the 
clause sets and in the constructed tableau are variable-disjoint. 

Definition 1 (Link, Linking Instance). Given two variable-disjoint clauses c 
and c' and two literal occurrences (c, 1 ) and {c' , ~^l') , if there is a unifier a of I and 
~^l' , then the set i = {{c, 1 ) , {d , ~^l')} is called a connection or link (between the 
clauses c and d). The clause ca is a linking instance of c wrt. the connection 1. 

The generation of linking instances is related with the clause linking method 
developed in [8]. In contrast to Plaisted’s and Lee’s approach, however, the 
disconnection method embeds the process of generating linking instances into 
a tableau guided control structure. We need the following further notions. 

Definition 2 (Path). A path through a clause set S is any total mapping 
P : S ^ [J S with P{d) G c, i.e., a set containing exactly one literal occurrence 
(c, /) for every c G S. With the set of literals of P we mean the set of literals in 
the range of P. A path P is complementary if it contains two literal occurrences 
of the form (c, /) and {d,^l), otherwise P is called consistent or open. 

Definition 3 (Tableau). A tableau is a (possibly infinite) downward tree with 
literal labels at all tree nodes except the root. Given a clause set S , a tableau for S 
is a tableau in which, for every tableau node N, the set of literals c= li, ... ,1m 
at the immediate successor nodes N\, . . . , Nm of T is an instance of a clause 
in S; for every Ni (1 < i < to), c is called the clause of Ni. With every tableau 
node Ni the literal occurrence (c, h) will be associated. Furthermore, a branch 
of a tableau T is any maximal sequence B = Ni, N 2 , N 3 , ... of nodes in T such 
that Ni is an immediate successor of the root node and any iV^+i is an immediate 
successor of Ni. In the tableaux that we will consider, no clause will occur more 
than once on a branch, so with every branch B we can associate a path P, viz., 
the set of literal occurrences associated with the nodes in B. 

The disconnection tableau calculus consists of a single inference rule, the 
so-called linking rule. 

Definition 4 (Linking Rule). Given a tableau branch B with leaf node N 
and two ancestor nodes Ni and N 2 with literals I and N' and variable-disjoint 
clauses ci and C 2 , respectively, if i = {(c, 1 ), {d , is a connection with unifier 
a, then 

1 . expand the branch with a linking instance wrt. I of one of the two clauses, 
say, with ca, 

2 . below the node labeled with la, expand the branch with a linking instance 
wrt. I of the other clause, i.e., da. 

3. Afterwards, rename the variables in the new tableau clauses, i.e., substitute 
all variables with new different variables not yet seen in the deduction pro- 



cess. 



120 



Reinhold Letz and Gernot Stenz 




Fig. 1. Illustration of a linking step 



In other terms, we perform a clause linking step (in the terminology of the 
clause linking method) and attach the coupled linking instances below the leaf N 
of the current tableau branch. In order to be able to start the tableau construc- 
tion, we must provide an initial set of connections from which to choose the first 
links. For this we may take an arbitrary initial path Ps through the set S of 
input clauses; Ps remains fixed during the entire tableau construction. 

As branch closure condition, the standard tableau closure condition is not 
sufficient, but the same notion as employed in the clause linking method can be 
used. 

Definition 5 (V-Closure). A tableau branch B is V-closed if it contains two 
literals I and such that 10 = kO where 0 is a substitution mapping all variables 
to the same new constant} 

So by the very nature of a linking step, in the tableau in Fig. 1, the middle 
branch must be V-closed, as indicated with an asterisk. 

The disconnection tableau calculus then simply consists of the rule for the 
selection of an initial path (applicable merely once at the beginning of the 
proof construction) and the linking rule. The calculus is refutationally sound and 
complete for any initial path selection [14]. The most important completeness- 
preserving refinement of the calculus is the following. 

Definition 6 (Variant-Preeness) . A disconnection tableau T is variant-free 
if, for no node N with clause c in T, there exists an ancestor node N' in T with 
clause d such that c and d are variants of each other, i.e., c can be obtained 
from d by renaming its variables. (Note, however, that this restriction does not 
extend to the initial path.) 

With this refinement it is automatically achieved that a link can be used only 
once on each branch, which permits decision procedures for certain formulae 

^ However, this substitution is not actually applied to the tableau, as opposed to 
rigid-variable tableaux. 
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classes, most notably the Bernays-Schonfinkel class (which cannot be decided by 
resolution). As shown in [14], we may also extract a model from a finitely failed 
open branch. 

Since the disconnection method constructs just a single tableau as in the 
original approach of Smullyan, this tableau also represents the entire search space 
including all useless attempts to produce closed sub-tableaux. Consequently, 
large parts of the tableau are irrelevant for closure, i.e. many branch literals are 
not used for branch closures in the dominated sub-tableau and can therefore be 
pruned together with the respective tableau clauses. 

Definition 7 (Relevance). A tableau node N dominating^ a elosed sub-tableau 
T is relevant in T if N is used for a \/-closure in T . A elause in a tableau is 
relevant if all its nodes are relevant in their respective sub-tableaux. 

As usual, a tableau is constructed in a depth-first manner by exploring one 
branch at a time until it can be closed, and afterwards backtracking^ to the 
next selected open branch with maximal depth. This method is similar to the 
working of SAT-solvers following the DPLL approach. Accordingly, we can also 
apply dependency-directed backtracking as used in most of those SAT-solvers. 
In order to identify whether a branch literal is relevant, we use the method of 
relevance sets, which is described in [11]. 



3 Universal Variables and Their Potential 

In a tableau proof a branch formula F containing free variables has often to 
be used more than once, but with different instances for some of the variables, 
say, ui, ... ,Un- This may lead to the multiple occurrence of similar subproofs. 
Such multiple occurrences can be avoided if one can show that the respective 
variables are universal wrt. the formula F, i.e., when Vrti • • • UnF holds on the 
branch. A general description of this property is given, e.g., in [3]. Since proving 
this property is undecidable in general, efficient sufficient conditions for uni- 
versality have been developed, e.g., the concept of locality in [10]. We will use 
a similar approach. 

Definition 8 (Local Variable). A variable u is called local in a literal I of 
a clause I \/ c if u does occur in I but not in c. 

Obviously, since all clauses in disconnection tableau are variable-disjoint, any 
local variable in a literal on a tableau branch is universal wrt. the literal. 

In order to illustrate a fundamental weakness of the current system and the 
potential of the use of universal variables, we discuss a very simple example. 
As a matter of fact, in practice, such clauses will normally not occur in the 

^ A node dominates a sub-tableau if it is on the branch from the root of the entire 
tableau to the root of the sub-tableau, including both. 

® Note that this does not mean that we backtrack over different tableaux as in the 
connection tableau method or in Fitting’s free-variable tableaux. 
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Pi(mi)VP2(M2) 


Input 

clauses 


1 

^Pi(ai)V^Pi(a2) 

1 




1 

^P2(ai)V^P2(u2) 






Pi(ai) P2{U'2) 






-Pi(ai) 


-Pi(a2) : 


* 





Pi{a2) P 2 K) 

* ^ \ 



Pi(a2) P2(ffli) 

* ^ \ 

^P2(ffll) ^^ 2 ( 02 ) 

* / \ 

Pi ( 02 ) P2{cL2) 

* * 

Fig. 2. Tableau for the clause set from Example 1 



respective input formulae, but, as our experiments show, clauses with universal 
variables may be dynamically generated during the proof process. 

Example 1. Let S' be a set consisting of the three clauses Pi(ui) V P 2 (u 2 ), 
^Pi(ai) V ^Pi(a 2 ), and V ^P 2 (o 2 ) where the Ui denote variables and 

the at constants. 

A part of a minimal closed disconnection tableau for this set is displayed in 
Fig. 2. Note that for the entire proof thirteen linking steps are needed. 

The redundancy in the proof is obvious. Since the variables Ui in the first 
clause are universal, one should treat the respective branches separately, i.e., not 
mix the instantiations resulting from the independent parts, and exploit this for 
obtaining a shorter proof and a smaller search space. Different methods have 
been developed in order to achieve a better behaviour for such formulae. 

One approach to to avoid that the product of the instantiations is formed is 
to split a clause cV c', where c and c' are variable-disjoint and refute the sub- 
clauses separately. This problem splitting is, for example, used in the SPASS 
prover system [23, 24]. Another approach is to replace the first clause with two 
new clauses I?i V c and ^Di V c' where Di is a new predicate symbol. This 
method of clause splitting is used quite successfully in resolution systems like 
Vampire [16]. Unfortunately, both methods have to be used carefully. In reso- 
lution, for example, we have to avoid that the original clause is reintroduced 
by a resolution step. In the tableau framework, the introduction of new formu- 
lae which are not sub-formulae of the original ones, even contradicts the basic 
working paradigm and can lead to other problems. The first approach is prob- 
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lematic because all optimisations of the system such as pruning and the reuse of 
subproofs would have to adapted or would not be possible at all. 

Therefore, we propose to use a more natural method which is also more 
general in that it applies to some cases where the clause parts are not entirely 
variable-disjoint. We extend the closure rule in such a manner that a literal con- 
taining universal variables can be used for different branch closures. We require, 
however, that one of the clause parts is a literal. 

In order to avoid the forming of instantiation products, we simply forbid that 
universal literals be instantiated when the linking instances are generated. This 
procedure reduces the search space to an extent which cannot even be achieved 
by the clause splitting approach. 

Definition 9 (U-Closure). A u-substitution is a substitution on universal 
variables only. Two terms/literals k, I are u-unifiable if there is a u-substitution 
a with ka = la. A tableau branch is u-closed if it contains two literals k,^l and 
a u-substitution a such that ka and la are equal under variable identification. 

In order to capture the restriction that universal variables must not be further 
instantiated in linking steps, the linking rule has to be modified, as follows. 

Definition 10 (U-Linking Rule). Let ca be a linking instance according to the 
standard linking rule (Definition 1 ). Then instead of putting ca on the tableau, u- 
linking puts ct on the tableau where r is the restriction of a to the non-universal 
variables of c. 

With the new rules, we achieve the disconnection tableau proof displayed in 
Fig. 3. Furthermore, since the u-linking rule forbids that clauses are put on the 
tableau in which universal variables are instantiated, no further instance of the 
first clause can appear in the tableau. 

Proposition 1 (Soundness of u-Closure). If there is a u-closed disconnec- 
tion tableau T for a set of clauses S, then S is unsatisfiable. 

Proof. We show the soundness by transforming T into a tableau which can 
be closed according to general tableau rules. First, we replace every literal I 





Pl(ui)VP2(u2) 


Input 
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^Pi(ai)V^Pi(a2) 




^P2(ai)V^p2(a2) 
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Pi{u() 

^Pi(ai) -^Pi{a2) 
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^F2(ai) ^^2(02) 



* * * * 

Fig. 3. Closed tableau for the clause set from Example 1 using local variables 
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containing the universal variables u\, . . . ,Un with the finite conjunction C; of all 
instances Wi of I in which / is used in u-closure steps; this is sound, because every 
pair of a variable assignment and an interpretation which satisfies Vmi • • • Unl also 
satisfies Ci. Now, we can simulate any u-closure step using literals k and I with 
two applications of the a-rule selecting the respective literals kO and 10' from 
the conjunctions Ck and C;, respectively, followed by a standard V-closure using 
kO and W . □ 

To show the completeness of the method is more difficult. The problem is that 
the very paradigm of the disconnection method is to produce clause instances 
whereas the u-linking rule blocks this for universal variables. Although in many 
examples the new method will lead to a shortening of proofs, it may also lead 
to a lengthening of proofs, as can be seen with the following example in Fig. 4. 
The normal instantiated tableau on the left can be closed quicker than the u- 
linking tableau on the right, as the instantiation of the non-local subgoal Q{z) 
is delayed and thus an additional u-linking step has to be performed to ensure 
the u-closedness of the tableau. 

So with the new calculus it is not possible to simulate the old one step by 
step, which would significantly facilitate the completeness proof. Instead one 
should proof completeness by extending the argument given in [14] to the new 
calculus, which, however, is out of the scope of this paper. 



4 Universal Variables and Unit Lemmas 

By far the most significant improvement of the performance of the basic dis- 
connection method was achieved by the integration of a special handling of unit 
clauses. In the resolution context, unit resolution is a very favourable strategy 




* 




-Qja) 



Fig. 4. Proof lengthening by the use of universal variables 
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for Horn problems, and even though unit resolution is incomplete for non-Horn 
problems, unit preference is a very successful method in general. Inferences with 
unit clauses can also improve the search behaviour of hyper-linking calculi [9] . In 
the tableau context, unit clauses are favourable because they avoid a branching 
of the tableau. 

The treatment of unit clauses in our system DCTP is completely different 
from the handling of non-unit clauses. On the one hand, no instances of unit 
clauses are put on the tableau. On the other hand, the closure for unit clauses 
is u-closure. So in DCTP unit clauses are already treated in a universal manner, 
since all their variables are trivially universal. The concept of universal variables 
put forward in this paper can therefore be viewed as a generalisation of the 
special handling of units to the non-unit case. With the u- linking rule and the 
u-closure condition, we have achieved a general framework in which the up to 
now specialised treatment of units becomes standard. 

Two further features of unit clauses are unit subsumption and unit simplifica- 
tion. While the deletion of subsumed clauses on a branch in general is incomplete 
for the disconnection method, unit subsumption can be safely applied, i.e., any 
clause can be deleted which is subsumed by (i.e., contains a literal which is an 
instance of) a unit clause. Unit simplification applies to a clause c if a unit clause 
subsumes the complement of a literal I in c. The result is that I is removed from 
the clause. Obviously, this may eventually lead to the generation of a new unit 
clause, which can be added to the data base. 

So, in the disconnection framework, we can also dynamically generate new 
unit clauses. There is a further method for generating new unit clauses, which 
originates from a completely different source, this is so-called folding up proce- 
dure. Folding up was introduced in the context of tableaux with rigid variables 
like connection tableaux [12]. The method generalises Shostak’s c-reduetion rule 
[17] and provides an efficient way of producing bottom-up lemmas that can be 
used in other parts of the proof. However, in the context of the disconnection 
method with its more general closure condition, folding up has to be adapted 
appropriately to preserve soundness. The method in the case of the standard 
disconnection method with standard linking and V-closure is as follows. 

Definition 11 (Folding Up). For every braneh literal I at the root of a elosed 
sub-tableau T such that I is relevant in T , we ean formulate a so-ealled context 
lemma k = -^It where t is a substitution which identifies all variables in 1. The 
unit k can than be used for branch closure on all branches which are dominated 
by the lowest relevant literal r in T above 1. 

This can be implemented by adding k to the edge immediately above r. As 
a matter of fact, one has to take care that the relevance information remains 
correct when context lemmas are used for branch closure. The usefulness of these 
methods can be already seen at Example 1, with folding up even the standard 
disconnection procedure can reduce the minimal proof length to five linking steps 
instead of thirteen. 

We will discuss now what happens when u-closure and u-linking are used 
together with folding up. The problem here is that a naive combination of both 
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features destroys the soundness of the disconnection method, which can be seen 
from the following example. 

Example 2. Consider the following two clauses c\ = P{u,x) V P{x,x) and C 2 = 



Assume we start the tableau construction with a u-linking step on the literals 
P{u,x) and ^P{a,y). Then the original clauses are put on the tableau, assume 
first Cl and below P{u,x) the clause C 2 - According to the u-linking rule the 
universal variable u is not instantiated. Next, we u-close the ^P(6, y)-branch. 
Now we can walk back and fold up the literal P{u, x) and generate a context 
unit lemma of the form ~^P(u,x)t. This situation is depicted in Fig. 5. 

But what is the correct substitution r? If the standard procedure would be 
used, we would have to generate a context unit lemma of the form ^P(x, x) and 
insert it at the root of the tableau. Afterwards it can be used to V-close the 
remaining open branch and hence the entire tableau. Unfortunately, the set of 
the two input clauses is satisfiable. What went wrong is that we did not take 
into account that the stronger the used closure rule, the weaker the resulting 
context lemmas. 

In order to develop the correct generalisation of folding up in the presence of 
u-closure, we have to recall that folding up is just an efficient encoding of clauses 
derivable from certain sub-tableaux, as pointed out in [12]. Let T be a closed sub- 
tableau with relevant root literal I and St the set of clauses occurring in the sub- 
tableau T. Assume further, ^/i, . . . , be the leaf literals in T whose branches 
are closed using / and P the disjunction of the leaf literals in T whose branches are 
closed using literals above 1. Then we can conclude that St |= V- • -\/ P)0 
where 0 is a substitution identifying all non-universal variables. Now, in order 
to achieve that {^li V • • • V ~^ln)d becomes unit its literals must be unifiable by 
a u-substitution r, and only if such a unifier exists, we may generate a context 
unit. We give now a more implementation-oriented reformulation of this method. 

Definition 12 (Folding Up with Universal Variables). Let T he a closed 
sub-tableau with relevant root literal I and cri,...,tT„ be the u- substitutions in 
which I is used in u-closure steps in T. Let further 9 be the substitution which 
maps all non-universal to the same variable x not occurring in the tableau. Then 



^P{a,y) V ^P{b,y). 
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P{u, x) \/P{x, x) 
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Fig. 5. Folding up with universal variables as in Example 2 
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we can perform folding up for I only if there is a unifier r for la\0 , . . . , and 
the generated context unit lemma is ~^It whose literals are all treated as local 
except for x. The point to which the context unit lemma is folded up is the same 
as in the standard procedure. 

With this method, more and logically stronger context units can be generated 
(note that in the old approach, context units may only be used for V-closure and 
not for u-closure as context-free units). 

Furthermore, when context units contain only universal variables, then we 
can use them also for pruning similar to context-free units. This amounts to 
a generalisation of the well-known regularity condition [14]. 

5 Implementation: The DCTP Theorem Prover 

The disconnection calculus has been implemented and continuously refined in 
the theorem prover DCTP. The design and implementation of DCTP is described 
briefly in [18] and in greater detail in [19]. While the underlying inference mecha- 
nism of DCTP has remained unchanged since version 1.2, significant alterations 
have been made to several aspects of the system for the current version 1.3. These 
changes include a complete redesign of the preprocessing mechanism, where the 
connection graph computation has been made redundant by an index unification 
algorithm. The mechanism for resolving so-called isolated connections [4] has 
been improved to allow more resolution steps, while still ensuring termination 
of this technique. The priority for branch closures has been reversed from local 
to global closures in order to facilitate the generation of more general lemmas. 

6 Motivation: The CASC-18 System Competition 

The current state of the art with regard to automated theorem proving is demon- 
strated by the annual CASC prover competitions [21]. After first participating 
at CASC-JC in 2001, an improved version 1.2 of DCTP took part in CASC-18 
in Copenhagen in 2002, along with a strategy parallel version DCTP-lO.lp that 
employed differently parameterised versions of DCTP using the technology of 
the e-SETHEO system [20]. Certain aspects of CASC-18 outcome deserve at- 
tention. The disconnection calculus is able to decide the problems presented in 
the EPR class of the competition. But even though DCTP was the key strat- 
egy used by the winning e-SETHEO system in that class, DCTP itself did not 
perform quite as well as expected, in particular on the unsatisfiable problems of 
this class. Many problems that could readily be solved by resolution provers and 
trivially be solved with the use of propositional Davis-Putnam provers were far 
beyond the capabilities of DCTP. Also, quite a few of the satisfiable problems 
of the EPR class could not be solved by any of the participating systems due to 
the sheer size of those problems of several megabytes each. 

In the all-important MIX class of the most general problems, DCTP per- 
formed reasonably well on the problems containing equality literals, despite the 
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fact that the equational reasoning component of DCTP is not on the same level 
of refinement as the top systems for equational problems. On the other hand, 
DCTP did not perform too well on the set of Horn problems without equality, 
a problem class that is widely considered as comparatively easy. 

The discrepancies between the theoretical expectations and the practical re- 
sults in both the EPR and MIX classes of CASC-18 strongly suggest that im- 
provements in the implementation of DCTP are possible on a fundamental level. 
This was the primary motivation for the development of the new features de- 
scribed in this paper. 

7 Enhancements for Version 1.3 

Preprocessing and the connection graph. During formula preprocessing, DCTP 
initially used a connection graph on the input set for finding pure clauses and 
isolated connections. However, for very large problems it is infeasible to compute 
such a connection graph even once. To improve the scalability of DCTP, the en- 
tire concept of the connection graph was dropped. Instead, as part of a complete 
re-implementation of the formula preprocessing stage, a unification index was 
introduced. 

Factorisation. Clause factoring is a standard technique in resolution systems. 
Tableau provers, on the other hand, can only incorporate limited versions of 
factorisation into the proof search, such as the folding up of solved subgoals. 
It is, however, possible to have full factorisation of the clause set as a part of 
the formula preprocessing stage. This factorisation is combined with full clause 
subsumption to limit the number of generated clauses. 

Isolated connections. Isolated connections are links in the clause set where one 
of the linked subgoals has just this one link in all the clauses. This link then can 
deterministically be resolved upon to reduce the number of input clauses and 
increase the instantiatedness of the clauses. But resolving one isolated connec- 
tion can lead to new isolated connections, and if the mechanism is employed to 
the full it can lead to non-terminating loops of resolution steps. A mechanism 
was included that guarantees termination while at the same time making near- 
optimal use of isolated connections. Alternatively, in cases where the resolution 
of isolated connections is not wanted, the information present can still be used 
to propagate instantiations. 

Better closure heuristics. It is possible that more than one path subgoal is avail- 
able at a time during proof search to be used for branch closure with a leaf 
subgoal. Older versions of DCTP used the strategy of selecting the lowest pos- 
sible subgoal for branch closure. This method had been imported from model 
elimination and was supposed to keep branch closures as local as possible and 
therefore provide frequent possibilities for folding up subgoals. But then tests 
showed that it is far more profitable to use the uppermost closing subgoal on 
the branch. This way fewer subgoals can be folded up, but they can be folded up 
to higher points on the tableau and thus are available for more widespread use. 
Additionally, this global selection of closing subgoals better fits into the frame- 
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work of a proof confluent calculus as it allows more redundant tableau clauses 
to be pruned. 



8 Future Extensions of DCTP 

Model extraction. As mentioned above, the disconnection calculus allows the ex- 
traction of models from failed proof attempts. The theory of model extraction 
for the non-equality case has been discussed in detail in [19], also with regard to 
the effects of calculus refinements on the extraction of models. An implementa- 
tion of such a model extraction mechanism is still pending. 

Relaxation of the active path restriction. The proper selection of a suitable initial 
active path as explained in Section 2 is crucial for the success of a proof attempt. 
In order to gain greater independence from this selection process we intend to 
devise a way that allows us to select arbitrary links from the input set while at 
the same time limiting the search space growth. 

Decidable classes. There are several decidable subclasses of first-order logic, 
e.g. the monadic fragment. We want to identify further classes of formulae that 
the disconnection calculus can decide and what special restrictions to the infer- 
ence process are necessary in order to achieve this goal. This also includes the 
integration of separate decision procedures into DCTP. Currently we investigate 
the possibility of extending the disconnection calculus by certain kinds of literal 
orderings and selection functions to provide a decision procedure for the guarded 
fragment. 



9 Integration of the New Features 

Both concepts described in this paper, u-linking and the extended use of context 
lemmas, have very recently been implemented as part of the theorem prover 
DCTP [18]. These implementation efforts have required a major reconstruction 
of large parts of the inference mechanism. 

In older versions of DCTP, branch closure was realised as either V-closure 
or t-closure (as described in [18, 19]). Both could be implemented in a lean 
way by membership checks of branch subgoal indexes. The introduction of u- 
closure on the other hand made it necessary to partially unify branch subgoals. 
In order to do this efficiently, the entire linking and branch closure mechanism 
was changed to use a unification index. 

Another problem was presented by the way in which DCTP performs linking 
steps. When a subgoal to be extended and a link to be applied have been selected, 
DCTP unifies the linked subgoals to create temporarily instantiated versions of 
the original linked clauses. Only when a linking step has been found not to 
be redundant, i.e. at least one new clause is placed on the tableau as a result 
of said linking step, new and variable-disjoint clause copies are created to be 
placed on the tableau. Finally, the effects of the linking instantiation are undone. 
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This manner of performing linking steps was introduced to prevent the excessive 
creation of redundant clause copies. 

However, in combination with u-linking a number of problems arise. Consider 
a tableau clause c = P{ui,ui,x) V Q{x) with branch literal P{ui,ui,x), which 
contains the local variable ui and another tableau clause d = ^P(a,U 2 ,U 2 ) V 
R{y) V S{y) with branch literal ^P{a,U 2 ,U 2 ) with U 2 local. If a u-linking step 
is applied to the link between c and d, the unification temporarily produces the 
clauses c' = P{a, a, a) V Q(a) and d' = ~^P{a, a, a) V R{y) V S{y). The application 
of the unifier is necessary to properly instantiate the shared variable x in c. But 
as local variables are not instantiated, the final clauses resulting from the linking 
step are c" = P{ui,ui,a) V Q{a) and d" = ~^P{a,U 2 ,U 2 ) V R{y) V S{y). Note 
that d” can be deleted as a variant of d while d' cannot. This example illustrates 
the necessity to make significant changes to the linking mechanism. Either all 
potential linking instances are immediately produced in their final versions or all 
procedures for variant deletion, regularity failure or subsumption checks must 
be properly adapted to handle intermediate instantiations of local variables. 

Even though both local variables and extended context lemmas have been 
included in DCTP in a working fashion, the implementation is not entirely com- 
pleted. In order to fully exploit the potential of these new calculus enhancements 
is necessary to integrate them properly into all heuristics and guidance functions. 

10 Experiments 

We were able to identify a number of test problems from the TPTP problem 
library [22] where the use of local variables proved advantageous. Table 1 shows 
the proof times (in seconds) and proof search inferences for these example prob- 
lems. All tests were conducted on a Linux PC with 512 MB of memory and 
clocked at 2.4 GHz. The maximum allowed time for each proof attempt was 200 
seconds. DCTP was used with a fixed parameterisation largely identical to the 
one used by DCTP-1.2 at the CASC-18 competition in 2002. 

The example of LCL225-1 demonstrates that the number of inferences need 
not necessarily be reduced to achieve shorter proof times. The LCL type prob- 
lems often feature very large terms with term depths greater than 10. In these 
cases it can be useful to employ local variables to avoid creating larger terms. 
This way even a greater number of simpler inferences can be handled in much 
less time. 

The problem SYN036-1, also known as Andrew’s Challenge, had long been 
unsolvable for DCTP. It first became feasible when clause factoring on the set of 
input clauses was introduced to the prover. With the inclusion of clause factoring 
the differences between the number of inferences becomes even greater. With 
factoring, it takes DCTP 1402 successful inferences to prove SYN036-1 (along 
with 30951 unsuccessful ones) without local variables, while with local variables 
the proof can be completed within three inferences. This dramatic reduction in 
proof search is a direct consequence of the fact that clause factoring, along with 
clause splitting, is a heuristic that favours the creation of universal variables. 
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Table 1. Performance of DCTP on selected problems with and without the use 
of local variables (without the extended use of context lemmas) 





w. local variables 


w/o local variables 


Problem 


Time 


Inferences 


Time 


Inferences 


GRP003-2 


1.03 


949 


9.08 


3371 


GRP048-2 


38.43 


18333 


timeont 


- 


LGL004-1 


51.19 


1970 


timeout 


- 


LGL218-1 


3.49 


5917 


53.42 


13496 


LGL223-1 


21.96 


13964 


timeout 


- 


LGL224-1 


21.88 


13961 


timeout 


- 


LGL225-1 


31.83 


16322 


192.43 


15123 


LGL230-1 


60.04 


19997 


timeout 


- 


SYN036-1 


2.18 


3372 


13.49 


6432 


SYN897-1 


0.77 


214 


14.21 


7923 



We are well aware of the fact that the experimental results presented above 
are not fully comprehensive and, theoretically, it is possible to find favourable 
examples for even the most pathological of refinement techniques. However, the 
implementation of the concepts described in this paper in the context of the 
DCTP theorem prover is still of a prototypical kind. The correct and efficient 
integration of local variables into the proof search does not only require a major 
reconstruction of many data structures, but also a global adaptation of all prun- 
ing and clause deletion techniques and, even more important, the development 
of new guidance heuristics. This extensive reconstruction of DCTP has not fully 
been completed yet, but we hope to conclude this work in the forseeable future. 

With respect to the other new features of DCTP 1.3, let us take another 
look at the results of CASC-18 in the light of the refinements described in the 
previous sections. 

There was a number of unsatisfiable ALC problems [7] (e.g. SYN440-1) that 
DCTP could not solve during the competition. With the use of improved pre- 
processing, global closure and adapted subgoal selection, all of these ALC prob- 
lems can be solved by DCTP 1.3. The EPR class also contained a number of 
very large satisfiable translated QBF problems of more than 10 megabytes each 
(e.g. SYN852-1). None of these could be solved by either of the participating 
systems. Due to the improved and scalable preprocessing (an initial number of 
3240 clauses can be reduced to 26 clauses) combined with the inherent decision 
power of the disconnection calculus, all of these problems now can be solved 
within 80 seconds on a 2.4 GHz PC. A number of similar problems also were 
featured as part of the SAT class of the competition for satisfiable problems 
(e.g. SYN904-1). These problems, too, can now be solved by DCTP within 20 
seconds. 
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11 Conclusion and Further Work 

In this paper, we have integrated the concept of universal variables into the dis- 
connection tableau calculus. We have also developed an improved method for 
using context lemmas in order to reduce the proof length and the search space. 
Both of these enhancements have been implemented as part of the DCTP discon- 
nection tableau prover. Even though the current implementation is not the most 
efficient possible, in many examples, a significant speed-up could be achieved. 
Also, the results do not yet reflect the full potential of the new method, since not 
everything is implemented. So when all techniques are integrated and adapted 
to the proof search mechanism, we can expect further significant improvements. 

Once the integration of local variables and extended context lemmas has 
been completed we see a number of topics for future work. First, we intend 
to generalise the concept of the extended context lemmas to a more general 
form of branch regularity. Then, we want to find a way of extending the use of 
local variables to the equational case. Until now, local variables are used only in 
problems without equality literals. The integration of extended context lemmas 
and local variables into the equational reasoning mechanism of the disconnection 
calculus presents additional problems, as then local variables can become non- 
local in eq-instances and eq-instances of context lemmas may have to be placed 
on the tableau in non-unit clauses. The proper handling of context information 
in the equational case is an interesting and challenging problem. 
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Abstract. We present a tableau-based decision procedure for the fusion 
(independent join) of the expressive description logic ACCQO and the 
logic MS for reasoning about distances and similarities. The resulting 
‘hybrid’ logic allows both precise and approximate representation of and 
reasoning about concepts. The tableau algorithm combines the existing 
tableaux for the components and shows that the tableau technique can 
be fruitfully applied to fusions of logics with nominals — the case in which 
no general decidability transfer results for fusions are available. 



1 Introduction 

Undoubtedly, there will come a day when, to attract submissions, organisers will 
be trying to annotate their conference sites with machine readable information. 
Imagine, for instance, that we want to do this now for Tableaux 2003. Choosing 
a formalism for representation of and reasoning about the terminology used in 
the Tableaux 2003 site, we may naturally try the description logic ACCQO un- 
derlying the DAML-bOIL language of the semantic web [7, 1]. Then we start with 
a definition of tableau-style algorithms and, as a first attempt, write something 
like this: 



Tableau_style_algorithm = Algorithm □ dcomprises.Rule, (1) 

saying that tableau-style algorithms are precisely those algorithms that are 
equipped with rules. Well, it seems unlikely that any potential participant of 
Tableaux 2003 would be happy with this provocative definition (according to 
which almost all reasoning procedures may be called tableau-based) . Then how 
to improve it? Do we really have a good, clear and concise definition (which is 
better than ‘lots of rules, but few axioms’)? How can we represent in ACCQO 
many other ‘vague’ concepts from the site, such as ‘related techniques,’ ‘related 
methods,’ ‘new calculi,’ etc.? 

M. Cialdea Mayer and F. Pirri (Eds.): TABLEAUX 2003, LNAI 2796, pp. 134—149, 2003. 

(c) Springer- Verlag Berlin Heidelberg 2003 
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One of the possible solutions to these problems is to introduce a similarity 
measure between the objects of the application domain — in our case the reason- 
ing procedures (which can be based on common sense, or defined by an expert, or 
automatically generated using certain algorithms). Then, by taking a role name 
similar_to_degree < 1, we could say, for instance, that tableau-style algorithms 
are similar to degree < 1 to at least one of the prototypical tableau algorithms 
tai, . . . ,ta 7 . However, this approach is in conflict with the expressive capabili- 
ties of standard description logics (DLs) such as AUC or DAML-bOIL because 
usually similarity measures are supposed to satisfy a number of natural axioms 
like the axioms of metric spaces, in particular, a sort of ‘triangular inequality’ 
which is not expressible in standard DLs. 

The main idea of this paper is not to extend the family of DLs by intro- 
ducing a new one, but rather to combine the existing knowledge representation 
formalisms, viz., 

— the standard description logic ALCQO — i.e., the basic DL ACC extended 
with qualified number restrictions, nominals and general TBoxes [5], and 

— the logic M.S [13] for reasoning about metric spaces^ 

in order to achieve the desirable expressivity. 

To illustrate the expressive power of the resulting ‘hybrid’ logic sim-ACCQO , 
we show how one can further ‘approximate’ the definition of tableau-style algo- 
rithms. First, we add to the right-hand side of (1) the conjunct 

E-^(tai U • • • U ta7) 

which is an Ad5-formula saying that tableau-style algorithms should be similar 
to degree < 1 to at least one of tai, . . . ,ta 7 . If this ‘positive information’ is still 
not enough, one can add some ‘negative’ bit. For example, it may be natural to 
say that tableau-style algorithms are neither similar to degree < 0.5 to a certain 
Hilbert-style algorithm ha, nor similar to degree < 0.5 to any resolution-based 
decision procedure: 

^E-°-®ha n ^E-^'^Resolution_based_algorithm. 

Of course, the individual algorithms such as ha can also be described by means 
of concepts, possibly involving similarity measures: 

ha : Algorithm FI ^dfeature. Termination FI A-°'^(3comprises.Modus_ponens) 

(i.e., ha does not necessarily terminate and all < 0.5 similar algorithms use a kind 
of modus ponens as one of their inference rules). It may seem more natural to 
specify similarity in terms of a finite set of symbolic similarity measures such 
as ‘close’ and ‘far’ rather than in terms of rational numbers as above. In our 

^ This metric logic differs considerably from the metric logics investigated in [9]. Here 
we quantify over open and closed ‘balls,’ while in [9] over closed balls and their 
complements. The expressive power of the two languages is, therefore, incomparable. 
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approach, however, the user is free to choose either option: one may fix a rational 
number for each symbolic similarity measure, say, 1 for ‘close’ and 10 for ‘far’ 
(or the other way round), and then work with the symbolic names. 

In this paper, we provide a tableau-style decision procedure for the new logic 
sim-ALCQO . Technically, this logic is the fusion (or independent join) [8, 3] of 
ACCQO and A4S. We believe that this is a reasonable starting point, since many 
similarity measures are indeed metric, and our approach without any problems 
can be adapted to similarity measures which do not satisfy all of the axioms 
of metric spaces. Moreover, we can easily extend sim- ACCQO and the tableau 
algorithm with additional similarity measures (say, between inference rules). 

In our opinion, sim- ACCQO provides just the right compromise between 
expressive power and computational cost: 

(1) In sim-ACCQO, we can mix constructors of ACCQO and A4S in order 
to define concepts based on similarity measures as illustrated above. Moreover, 
as our tableau algorithm shows, reasoning in sim-ACCQO is decidable. It is of 
interest to contrast this with the fact that a tighter coupling of ACCQO and 
JAS leads to undecidability: as we also show, the extension of JAS with qualified 
number restrictions such as ‘there exists at most 1 point x with property P within 
distance < 1’ results in an undecidable logic. Therefore, the fusion of the two 
formalisms seems to be a good starting point for investigating the interaction 
between concepts and similarity measures. 

(2) Although there exists a number of general results regarding the transfer 
of decidability from the components of a fusion to the fusion itself [8, 3, 12, 2, 11], 
these results do not apply to logics with nominals (atomic concepts interpreted 
as singleton sets) such as ACCQO. In fact, no transfer result is available from 
which we could derive the decidability of sim-ACCQO using the decidability 
of both ACCQO and JAS. Despite the fact that they are not applicable, it is 
of interest to note that our algorithm has an important advantage over general 
approaches to proving decidability: structurally, it is very similar to the tableau 
algorithms for SHJQ and SHOQ proposed in [6, 5]. Since these algorithms have 
turned out to be implementable in efficient reasoning systems, we do hope that 
our algorithm shares this attractive property as well. 

The paper is organised as follows: in Section 2, we introduce the description 
logic sim-ACCQO. In Section 3, we describe the tableau algorithm for decid- 
ing the satisfiability of sim- ACC QO-knowledge bases, whose correctness is then 
proved in Section 4. Section 5 is concerned with the undecidability of JAS ex- 
tended with qualifying number restrictions. A version of this paper with detailed 
proofs is available at http : //www. esc . liv . ac .uk/"^f rank. 



2 The Logic sim-A.CCQO 

In this section, we introduce the combined logic sim-ACCQO. The alphabet for 
forming concepts and assertions consists of the following elements: 
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— a countably infinite list of concept names Ai, A2, . . . ; 

— a countably infinite list of object names £1, £2, ■ ■ • i 

— binary distance (^), equality (=) and membership (:) predicates; 

— the Boolean operators □, U, 

— two distance quantijiers E<“, E-“ and their duals A<“, A-“, for every posi- 
tive rational number a (i.e., a G 

— role names Ri, R2, ■ ■ 

— qualified number restrictions (< nR.C) and (> nR.C), for every natural n, 
every role name R, and every concept C. 

Using this alphabet, sim-ACCQO-concepts are defined by the formation rule: 



C ::= A, I 4 I I Cl n C2 I Cl U C2 I E<“C | E^“C | A<“C | 

I A^^“C I (< nR^.C) I (> nRi.C). 



As usual, we write T as an abbreviation for an arbitrary propositional tautology, 
_L for ^T, 3R.C for (> li?.C), and Vi?.C for (< Oi?.^C). At first sight, it 
may seem strange to have both strict and non-strict versions of the E and A 
constructors available for talking about similarity measures. Note, however, that 
this allows us to define the concept E-“C □ ^E<“C which states that the most 
similar object from C is located precisely at distance a. Object names occurring 
in concepts will also be called nominals. 

Now we define sim- ACC QO- assertions as expressions of the following forms: 

— i \ C, where £ is an object name and C a concept; 

— Cl = C2, where Ci and C2 are concepts; 

— S{k,£) < a, S{k,£) < a, S{k,£) > a, S{k,£) > a, where k, £ are object names 
and a G Q“*". 



Assertions of the third form are called distance assertions. A sim- ACC QO- 
knowledge base is a finite set of sim-ACCQO-asseviions. 

Observe that knowledge bases subsume both general XBoxes and ABoxes. In 
particular, the rather common ABox assertions of the form (£1, £2) : R, where £1 
and £2 are object names and R a role name, can be viewed as abbreviations for 
£1 : 3i?.£2. 

The semantics of sim-ACCQO-concepts is a blend of the semantics of the 
logic of metric spaces [13] and the usual set-theoretic semantics of description 
logics. A concept- distance model (a CD-model, for short) is a structure of the 
form 



^ = {W,d,Af,A^,...,Rf,R'i,...,£f,£'^...), 



where {W, d) is a metric space with a distance function d satisfying, for all 
x,y,z G W, the axioms 



d{x,y) = 0 iff x = y, 


(2) 


d{x,z) < d{x,y) + d{y,z), 


(3) 


d{x,y) = d{y,x), 


(4) 
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the are subsets of W, the i?® are binary relations on W, and the are 
singleton subsets of W such that J yf j implies 

The extension C® of a sim-ACC QO-concept C is computed inductively: 



(Cl n C2)® = c® n C2®, 



(Cl U C2)® = Cl® U C2® , (-C)® = IT - C® , 



(E<ac)® 

(E<“C)® 

(A<ac)® 

(A<“C)® 
(< ni?.C)® 
(> ni?.C)® 



{a; e IT 
{a; e VL 
{xeW 
{x£W 
{x£W 
{xeW 



3y &W (d{x,y) 
3y eW [d{x,y) 
yy €W [d{x,y) 
Vy e IT [d{x,y) 
\{y€W\ {x,y) 
\{y GW \ {x,y) 



<a AyeC®)}, 

<a A?/GC®)}, 

<a ^y€C®)}, 

<a ^?/GC®)}, 

G i?® Ay G C®}| < n}, 
G i?® Ay G C®}| > n}. 



We still have to specify when a CD-model satisfies a sim-^£C QC-assertion: the 
truth-relation |= between CD-models *8 and assertions (f is defined as follows: 

- h ^ : C' iff £® C C®, 

- ^ Cl = C 2 iff Cl® = C 2 ®, 

— iB 1= d{k,£) < a iff d(fc®,£®) < a, 

— 55 1= d{k,i) < a iff d{k'^,i'^) < o, and similar for > and >. 

Finally, a sim-ACCQO-\nxow\edge base S is called satisfiable if there exists a CD- 
model iB such that iB ^ for all G T. In this case we write £8 \= S. 

Note that we make the unique name assumption {UNA), i.e., different object 
names denote distinct domain elements. The sole purpose of this assumption is 
to allow a clearer presentation of our tableau algorithm. It is, however, easily seen 
that the UNA has no influence on decidability, and that our tableau algorithm 
can be extended to deal with sim-ACC QO without UNA. 



3 The Tableau Algorithm 

Now we present a sound, complete and terminating algorithm for checking the 
satisfiability of sim-ACC QO-\niow\edge bases. In fact, it is a (labelled) tableau 
algorithm that generalises the existing tableau algorithms for metric logics [13] 
and for the description logic ACC QO [5] . Before formulating the algorithm and 
proving its correctness, we introduce some notations and auxiliary definitions. 

Supose we are given a sim-ACC QC-knowledge base S. Denote by con{S) 
the set of concepts occurring in E (including all subconcepts), by rol{E) the set 
of role names occurring in E, by par{E) the set of rational numbers occurring in 
E (either in E/A concepts or in distance assertions), and by ob{E) we denote the 
set of object names occurring in E. Without loss of generality, we may assume 
that neither par{E) nor ob{E) are empty: if this is not the case, we can always 
add an assertion £ : A<“T with a fresh object name £. To simplify presentation, 
it is convenient to make three assumptions: 
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(1) A concept C is in negation normal form (NNF) if negation occurs only 
in front of concept names and nominals. Each concept can be transformed into 
an equivalent one in NNF by pushing negation inwards: for example, 

is equivalent to So, without loss of generality, we may assume that all 

concepts are in NNF. In what follows, we use A(7 to denote the NNF of ~^C. 

(2) We may also assume that knowledge bases contain only assertions of the 
form i : C and C = T. To see this, note first that distance assertions can be 
expressed using nominals and distance quantifiers: 

d{k,£) < a is equivalent to k : S{k,£) <ais equivalent tofc : E-^, 

d{k,£) > a is equivalent to k : S{k,£) >ais equivalent tofc : 

Assertions of the form Ci = C 2 can be rewritten as (Ci □ C 2 ) U (ACi □ FC 2 ) = T. 

(3) Without loss of generality, we may assume that par{S) contains only 
natural numbers: given a knowledge base S with par(S) C Q+, we may replace 
every element q of par{E) with q ■ x, where x is the least common multiple of the 
denominators of all elements of par{E). It is then straightforward to show that 
any CD-model of the resulting knowledge base can be converted into a CD-model 
of E and vice versa. 

We use as to denote the largest natural number that occurs in par(E) and 
M[N'] to denote the smallest set satisfying the following conditions: 

— par{E) C M[E]; 

— if a, 6 S M[E] and a + b < as, then a + b £ M[E]; 

— if a, b £ Mix’] and a — b > 0, then a — b £ M[E]. 

Having started on the input knowledge base E (in the form described above), 
the tableau algorithm considers only certain ‘relevant’ concepts. More precisely, 
we define the closure cl{E) of E to be the (finite) set of concepts 

con{E) U {AC I C € con{E)} U 

|A<“C, A^“C I a £ M[E] and 3b > a A<’’C} C con{E) ^ 0}. 

Similar to the set cl{E) of relevant concepts, M[If] describes the set of relevant 
numbers. However, the numbers in M[27] are not enough: to distinguish between 
‘< a’ and ‘< a,’ we require some additional symbols that will be used in the same 
way as numbers, namely, M[E]~ = {a~ \ a £ M)!!]}. Define a strict linear order 
^ on M[N'] U M[E]~ by setting 

0-1 ^ Oi ^ O 2 ^ O 2 ^ ^ 0<Yi ^ 

where ai < 02 <■■■< an- 

We are in a position now to describe our tableau algorithm. Starting with 
E, it operates on constraint systems S = (T, <, L, S, E), where 
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— (r, <) is a forest whose set of roots coincides with ob{S); 

— S' is a node labelling function which associates with each x G T a, set 

S{x) C cl{E) U {(i?, £), (a, £), (a~,£) | £ G ob(E),R G rol(E), a G M[S]\] 

— L is a labelling function which associates with each pair x,y G T such that 

X < y either a role name or a number from or a symbol from M[E]~] 

— E is a set of inequalities between members of T. 

Intuitively, we have a; < y if either x and y are related by some role R or the 
distance between x and y is known to be smaller than some value from 
The purpose of the extra elements {R, £) and (a, £) in node labels is to represent 
additional edges that lead to nominals (roots in the forest), and whose explicit 
representation would destroy the forest structure. 

The algorithm starts with Sq = {Tq, <o, Lq, So, Eq), the initial constraint 
system for E, where 

— To = ob{E), 

— So(£) = {£}\J{C\£-.C gE}, for every £ G ob{E), 

— Eo = {£j££’ \£j££’, £, £' G ob{E)}, and 

— <0 = Lo = %■ 

Before describing the completion rules, we introduce some simplifying notation 
required to deal with edges represented via node labels. We write L{x,y) = a 
to express that either x < y and L(x,y) = a or that a is the ^-minimum 
of {c I (c, y) G S'(a;)}.^ To account for the fact that, for some rules, it is not 
important whether a node is a predecessor or a successor, we write L°{{x, y}) = a 
if a is the ^-minimum of {L{x,y),L(y,x)}. Finally, for a role name R, we say 
that y is an i?-successor of x if either x <y and L{x, y) = R or {R, y) G S{x). 

The completion rules are shown in Fig. 1. Constraint systems obtained by 
applying the completion rules to the initial constraint system for E will be 
called constraint systems for E. The terms ‘blocked’ and ‘indirectly blocked’ in 
the rule premises refer to a cycle detection mechanism that is needed to ensure 
termination of the algorithm. Before discussing the completion rules in more 
detail, let us formally introduce this mechanism. The general idea is that we 
stop the expansion of node labels if a node is labelled with exactly the same set 
of concepts as one of its <-ancestors. This simple approach works perfectly well, 
but it is not the most sensible thing we can do: the problem is that, due to the 
‘extra’ concepts A<“C and A-“C, the size of cl{E) is exponential in the size of 
E rather than polynomial, and thus paths of the forest may grow to a length 
doubly exponential in E before the blocking occurs. Fortunately, this worst case 
can be avoided. When comparing node labels to check for a blocking situation, it 
is not necessary to take into account all of the extra A<“C and k-°^C concepts: 
if, for example, we find A-“C G S{x), then it is clear that the object x also 
satisfies the concepts for all b < a, even if they do not explicitly appear 

This gives a well-defined value for L{x, y), as (c, y) G S{x) implies that y is a root. 
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in the node label S{x). This observation leads to the following, refined variant 
of blocking. 

For a node x GT, we use S*{x) to denote the set of concepts C G S{x) such 
that one of the following conditions is satisfied: 

1. C is not of the form or A-“H; 

2. C is of the form A-°‘D and there is no 6 > a such that A~^D G S{x); 

3. C is of the form A<“£) and there is no 6 > a such that G S{x). 

Denote by <+ the transitive closure of <. We say that a node x G T is directly 
blocked by a node y if y <~^ x, S*{x) = S*{y), but for no distinct u <+ x and 
V <+ X do we have S*{u) = S*{v). The <+-successors of directly blocked nodes 
are called indirectly blocked. All directly or indirectly blocked nodes comprise the 
set of blocked nodes. Observe that the elements {R, i) and (a, £) of node labels 
are not taken into account for blocking. 

Note that this blocking condition can be refined even further by taking into 
account implications between A-“C and A^^C concepts. We prefer to work 
with the above variant, since it suffices to restrict paths in forests to exponential 
length, and the more elaborate version makes proofs rather unreadable due to 
many additional case distinctions. 

Let us now return to the completion rules. In what follows we assume that 
a rule can be applied to a tableau only if the tableau is changed. Such a rule 
will be called applicable to the tableau. The tableau algorithm applies the rules 
until either the obtained constraint system contains an obvious contradiction or 
no more rules are applicable. To be more precise, say that a constraint system S 
contains a clash if it contains a node x such that one of the following conditions 
hold: 

1. {A,GA } C S{x), for some concept name A; 

2. {£, -i£} C S{x) for some object name i; 

3. £' G Sit) for some object names t A t, 

4. ix^x)G E- 

5. for some R, (< nR.C) G S{x) and there are n + l i?-successors ?/ 0 : • ■ • , J/n of a; 

with C G L{yi), for each 0 < i < n and yi ^ yj G E for each 0 < i < j < n. 

A constraint system S is complete if it either contains a clash or none of the 
rules in Fig. 1 is applicable to S. 

4 Termination, Soundness and Completeness 

We show now that the tableau algorithm above always terminates, is sound 
(i.e., if there is a complete and clash-free constraint system for E, then E is 
satisfiable), and complete (i.e., if E is satisfiable, then the tableau algorithm 
eventually succeeds in finding a complete and clash-free complete system) . 
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Rn If Cl n C2 £ S{x) and x is not indirectly blocked, 
then set S{x) := S{x) U {Ci, C2}. 

Ru If Cl U C2 £ S{x) and x is not indirectly blocked, 

then set either S{x) := S{x) U {Ci} or S{x) := S{x) U {C2}. 

R= If C = T £ H and x is not indirectly blocked, then set S{x) := S{x) U {C}. 

Ra If £ S{x) or A-“C £ S(x) and x is not indirectly blocked, 

then set S{x) := S{x) U {C}. 

Ra< Let A^“C £ S{x) and x is not indirectly blocked. Then: 
if L°{{y,x}) = a~ , then set S{y) := {C} U S{y)-, 
if L°{{y, a;}) = b < a, then set S{y) := {A^“~^C} U S{y)-, 
if L°{{y,x}) = b~ with b < a, then set S{y) := {A-“~*’C} U S{y). 

Ra< Let A-“C £ S{x), L°({y,x}) £ {b,b~} and x is not indirectly blocked. Then: 
if b = a, then set S{y) ~ {C} U S{y)-, 
if b < o, then set S{y) := {A-“~^C} U S{y). 

Rg< If E^“C £ S{x), X is not blocked, and 

L{x, y) ^ {b I b < 0} U {b~ | b < a} for any y with C £ S{y), 

then create a new node y > x and set L{x, y) := a~ and S(y) := {C}. 

Rg< If E-“C £ S{x), X is not blocked and 

L{x, y) ^ {6 I b < a} U {b~ | b < a} for any y with C £ S'(y), 
then create a new node y > x and set L{x, y) := a and S{y) := {C}. 

Reft, If {(> nR.C), (< nR.C)} n S{x) yf 0 , a; is not blocked and y is an 

i?-successor of x, then set S{y) := S{y) U {C} or S{y) = S{y) U {£C}. 

R> If (> nR.C) £ S(x), X is not blocked, and there are no i?-successors yi , . . . ,yn 
with C £ S{yi) and yi / yj £ E, for all i 7^ j, then take new yi > x, . . . ,y„ > x 

and set L{x, yi) := R, S{yi) := {C}, E := E U {yt ^ yj \ I < i < j < n}. 

R< If (< nR.C) £ S(x), X is not blocked, has n + 1 i?-successors yo , . . . ,yn 

with C £ S{yi) for all i, and, for some i,j <n,yi^ yj ^ E and yj ^ ob{E), 
then set E ~ ELS{y jb yi \ y ^ yj e E}, S{yi) := S{yi) U S{yj), 

Six) := S(a:) U {{R' , i) \ R' = L(x, yj)}, it yi = £ £ ob(E), 
and finally delete yj and all 2 with yj 2 from T. 

Rr If ^ £ S{x), X ^ ob{E), and x is not indirectly blocked. 

Then set S{£) := S{£) U S{x), and, for every y, 

S{y) := S(y) U {(c, £) | c = L(y, x) ot c = R a, role and x an i?-successor of y}, 
E:=Eu{y^£\y^x£ E}, and delete x and all 2 with x 2 from T. 

Fig. 1. Tableau rules 
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Termination 

Theorem 1. Any sequence of applications of tableau rules to the initial con- 
straint system for U terminates after finitely many steps. 

Proof. Let mg = \con{S) \ and be the maximal number occurring in qualified 
number restrictions of E. Termination follows from the following five observa- 
tions. 

(1) Each rule except R< and strictly extends the constraint system. More- 
over, neither R^ nor R< removes concepts from nodes. 

(2) None of the generating rules Re< , Re< , R> can be applied more than once 
to a given node and a given concept. 

Suppose that Re< is applied to a node x, generates y with x < y and updates 
L{x,y) = a~ and S{y) = {C}. The only reason why Re< could be applied 
once again to x and E^“C is that later on y is removed by an application of 
R< or R^. However, unless x is removed (in this case the claim is trivial) y 
cannot be removed by an application of R< because we do not find a 2 and 
a role R with R = L{z, y). Suppose y is removed by an application of R^ because 
^ G S{y). Then, after the application of Rf, we have {a~ ,£) G S{x) and C G S{i), 
since a~ = L{x^y). But then, since a node of the form t is never removed, the 
rule Re< is not applicable to x and E<“C afterwards. The rule Re< is considered 
analogously. 

Suppose that R> is applied to a node x, generates j/i, . . . , j/n with x < yi and 
updates L{x,yi) = i?, Sijji) = {C}, and E = E U {yi =/= yj \ I < i < j < n}. 
Now, whenever some pj is removed by R> or R^ and x is not removed, after the 
removal of yj we still have n i?-successors Z\,. . . ,Zn of x such that C G S{zi), 
E A {zi ^ Zj \ 1 < i < j < n}. So, R> is not applied to x after such a removal. 

(3) The out-degree of the forest constructed using the tableaux rules is 

bounded by mo -I- • mg. This follows from (2) and the fact that nodes are 

labelled with subsets of the set 

cl{E)U{{R,e),{a,i),{a-,i) \ iGob{E),RG rol{E),a G M[E]}. 

(4) If a node x is removed, then all z with x <~^ z are removed as well 

(5) No <-branch in any constraint system for E can ever be of length ex- 
ceeding 2"*“ • |M[27]p, since no node introducing rule can be applied to a node x 
such that S*{y) = S*{z) for two distinct y,z < x. 

Soundness 

Before proving the soundness of the tableau algorithm, we introduce a relational 
semantics for sim-ACCQO. This semantics comprises, for each a G M[E], ad- 
ditional binary relations Ra and Sa such that, intuitively, we have uRaV if the 
distance between u and v is at most a, and uSaV if the distance between u and v 
is less than a. Formally, a Kripke model for if is a structure of the form 

M = (IT, Af , . . . , , . . . , {Ra)aeM[i:], (^a)aGM[i:],^f , • ■ •) 

satisfying, for all u,v,w G W and all a,b & M[E], the following conditions: 
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(Slfl) if uRaV and a < b, then uRbV, 

(S2fl) uRaV iff vRaU, 

(S3fl) uRaU, 

(S4fl) if uRaV, vRbW and a + b G M[E], then uRa+bW, 

(Sis) if uSaV and a < b, then uSbv; 

(S2s) uSaV iff vSaU] 

(S3s) uSaU, 

(S4s) if uSaV, vSbW and a + b G M[E], then uSa+bW, 

(Cl) if uSaV then uRaV, 

(C2) if uRaV and a < b, then uSbV, 

(C3) if uRaV, vSbW and a + b G M[E], then uSa+bW, 

(C4) if uSaV, vRbW and a + b G M[E], then uSa+bW. 

The value of a concept C in 971 and the truth-relation 971 ^ Ci = C 2 are 
defined in almost the same way as for CD-models: we only replace IB with 971 
and define the clauses for the distance quantifiers as follows: 

(E<a(^)OT = {xGW\3yGW [xRaV AyG C^)}, 

(£<“(7)®" = {xGW \ 3yGW {xSay AyG C®')}, 

(A^“C)™ = {xGW\VyGW {xRay ^yG C'®')}, 

(A<“C)®^ = {xGW\VyGW {xSay ^yG C'®')}. 

The next theorem ensures that the alternative Kripke semantics is ‘equivalent’ 
to the original one. 

Theorem 2. The knowledge base E is satisfiable in a CD-model iff it is satis- 
fiable in a Kripke model for E. 

Proof. (=>) Suppose that E is satisfied in a CD-model 
Define a Kripke model 

971 = (IT, Af , . . . , , . . . , {Ra)a^M[S]ASa)a^M[E]ffT. ■ ■ ■) 

for E by taking, for a G M[E], 

- Af = Af,e = C,and 7?®= = ; 

- xRaV iff d{x,y) < a; 

- xSaV iff d{x,y) < a. 

It is not difficult to see that 971 is a Kripke model for E and to prove by induction 
that C®* = C®, for ell C G cl{E). It follows that 971 satisfies E. 

( 4 =) Suppose now that E is satisfied in a Kripke model 



971 = (IT, Af , . . . , , . . . , iRa)aeMlU],iSa)aeM[S]ffT, ■ ■ •) 
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for E. Let M[E] = {oi, . . . , qn} with 0 < oi < 02 < ■ • • < Qn- Choose a rational 
number 'ys > un in such a way that there are no 01,02 C M[A’] with qn < 
oi + 02 < js- Let D be the minimal number in the set 

M[E] U {oi + 02 - 7i; I oi, 02 e M[E] - {72;} & oi + 02 > 

Take some positive e < Define a function d \ W x W ^ R by taking 

d(u, u) = 0 if M = u and otherwise 

if ^3o ^M[E]uRaV, 

d{u, u) = < o, if 3o G M[E] {uRaV A ~^uSav), 

[oi — 2* • e, if 3oi € M[E] {uSaiV A\/j {0 < j < i ^ ^uRa^v)). 

Consider the model 

where Af = Ap*, i?® = Rf^, and for all i. One can show now that *8 

is a CD-model satisfying E. 

Thus, it suffices to prove soundness with respect to Kripke semantics. 

Theorem 3. If there exists a complete and clash-free constraint system for E, 
then E is satisfiable in a Kripke model for E. 

Proof. Suppose that S = {T, <, S, L, E) is a complete and clash-free constraint 
system for E that is obtained by repeatedly applying completion rules from 
Fig. 1 to the initial constraint system {Tq, <q, Sq, Lq, Ef). We use this constraint 
system to construct a Kripke model 

971 = (W, Af , . . . , , . . . , {Ra)a<,Mm, ■ ■ •) 

satisfying E. Denote by T* the set of nodes from T that are not indirectly (but 
possible directly) blocked. The domain VF of 971 consists of all sequences of the 
form (£, ii, . . . , Xk), where I S ob{E) and x\,...,Xk G T* (with fc > 0) such that 
(. < X\ and, for 1 < i < fc, either (i) Xi is unblocked and Xi < Xi+\ or (ii) there 
is a z such that 2: directly blocks Xi and z < Xi+\. Role names R are interpreted 
by setting 

— ((^1, xi, . . . , a;fe) , (£2 )) G R'^ iff Xk is not blocked and (i?,^2) G S{xk), or 
there exists 2 which directly blocks Xk such that (i?, £2) G S{z)] 

— {{i,Xi, . . . , Xk) ,{i,Xi,..., Xfc+i)) G R™ iff one of the following holds: 

• Xi is not blocked, Xk < Xk-{-i, and L{xk,Xk+i) = R] 

• there is 2 which directly blocks Xk, z < Xk-t-i and L(z, Xk-i-i) = R- 

Given x = {i,xi, . . . ,Xk) G VF, let S{x) denote S{xk). We now define the re- 
lations Ra and Sa- Let Ra be the set of pairs (x,y) £ W x W such that, for 
{u,v} = {x,y}, the following conditions are satisfied: 
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(a) A-“C G S(u) implies C G S(v); 

(b) A-^C G S{u) and b> a imply that A-'^C' G S{v) for some c> b — a] 

(c) A<^C G S{u) and b > a imply that A^'^C' G S(v) or A-^C G S{v) for some 
c > b — a. 

Similarly, Sa is comprised of the pairs {x,y) GW x W such that, for {u,v} = 
{x,y}, the following conditions are satisfied: 

(d) A<“C G S{u) implies C G S{v); 

(e) A-^C G S{u) and b> a imply that A-'^C G S(y) for some c>b—a\ 

(/) G S{u) and b > a imply that A^'^C G S{v) or A-'^C G S'(tJ) for some 

c > b — a. 

For all £ G ob(E), we set £™ = {(^)}- This is well-defined, since no nominal is 
removed from the tableau. Finally, for all concept names Ai and x G W, we set 
X G iff Ai G S{x). 971 is a Kripke models for S which E. A proof of this 
claim can be found in the full version of this paper. 



Completeness 

Let us say that a model £& = (W, d, A®, . . . , . . .) realises a constraint system 

(T, <,L, S,E) for E if 95 |= E and there exists a map p : T such that 

— C G S{x) implies p{x) G C®; 

— L°{{x,y}) = a G M[E] implies d{p{x), p{y)) < a; 

— L°{{x,y}) = a~ G M[E]~ implies d{p{x),p{y)) < a; 

— X ^ y G E implies p{x) yf p{y)', 

— if y is an i?-successor of x, then {p{x),p{y)) G i?®. 

The following lemma is an immediate consequence of the definitions: 

Lemma 1. If a knowledge base E is satisfied in a CD-model 95, then the initial 
constraint system for E is realisable in £& . 

Lemma 2. Suppose that 95 realises a constraint system S = (T, <, L, S', E) for 
E and a completion rule R is applicable to S. Then R can be applied in such 
a way that 95 realises the resulting constraint system S' = {T' ,<' ,S' ^L' ,E') as 
well. 

Proof. Let = (W, d, A®, . . . , £®, . . .) realise S by means of a map p : T ^ W 
and let S' be obtained from S using some rule R. We consider only two rules, 
R = Rg< and R = Ra<, and and leave the remaining cases to the reader. 

Re< : Suppose that E-“C G S{x), T' = TU {y}, L'{{x, y}) = a, <'=< U{(a;, y)}, 
and S(y) = {C}. We know that p{x) G (E-“C)® . So we can find v GW such that 
d{p{x),v) < a and v G C®. Define a map p' ■. T' ^ W hy taking p'{z) = p{z) 
for all z G T and p'{y) = v. It should be clear that 95 realises S' my means of p'. 
Ra<: Let A<“C G S{x), x gT. Suppose that the rule is applied to some y GT. 
Consider three possible cases. 
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(i) If L°{{x, y}) = a~ then d{p{x), p{y)) < a and S{y) = {C}US'(?/). We need 
to show that p{y) G C®. But this follows immediately from p{x) G (A<“C)®. 

(ii) If A°({y, x}) = b < a then d{p{x), p{y)) < b and S{y) = {A^°‘~'^C}US{y). 

To show that p{y) G take any v G W such that d{p{y),v) < a — b. 

By the triangular inequality, we then have d{p{y),v) < a and so t; € C®. 

(iii) The case of L°{{y,x}) = b~ and b < a is considered similarly to (ii). 

As a consequence of these two lemmas and Theorem 1 we obtain 

Theorem 4. If S is satisfiable, then there exists a complete clash-free constraint 
system for S. 

5 Undecidability 

We show now that a rather natural and closer integration of distance quantifiers 
and qualified number restrictions results in an undecidable logic. Denote by sim / 
the language with the following concept formation rule: 

C ::= A, I 4 I -C I Cl n C2 I Cl U C2 I E^“C | {<l .C), 

where (<J .C) is interpreted in concept distance models 18 as follows 

(<1 .C)® = {xGW\\{y\ d{x,y) <a,yG C®}| < 1}. 

Theorem 5. The satisfiability problem for sim j -knowledge bases in concept dis- 
tance models is undecidable. 

Proof, (sketch) We can simulate the undecidable N x N-tiling problem in almost 
the same way as in the undecidability proof of [9] for the language A4Si with 
the operators A-“, A<° and their duals: just replace everywhere in the proof of 
Theorem 3.1 the concept A^gp^yi^ by the concept (<go 

6 Conclusion 

We have introduced the description-metric logic sim- ACC QO for defining con- 
cepts based on similarity measures, and have proposed a tableau algorithm for 
deciding the satisfiability of QC-knowledge bases. This algorithm uni- 

fies the tableau algorithms for SHOQ (a superlogic of ACCQO) presented in [5] 
and for the logic of metric spaces Ad 5 as defined in [13]. It is of interest to 
note that, in contrast to what is done in [13], we need a different soundness 
proof, since the presence of number restrictions prohibits the use of filtration 
techniques. 

We regard the presented logic only as a first step towards DLs that allow 
definitions of concepts based on similarity measures. Although we believe that 
the expressive power provided by sim- ACCQO is quite natural and useful, an 
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in-depth investigation of the expressive means that are useful for defining vague 
concepts are in order. Some possible extensions of sim-ACCQO are the following: 

(1) New constructors and where the former expresses that 

there exists an i?-successor at distance smaller than a satisfying C, and the 
latter is its dual. Such constructors would, e.g., allow us to say that a person is 
very similar to his father: E<*’-®parent.Male. The presented algorithm should be 
extendable to this case without any problems. 

(2) New constructors E^“C and E-“C (and their duals) with the obvious se- 
mantics. Although these constructors do not seem to be so natural as the vari- 
ants based on < and <, they could, e.g., be used to express that a propo- 
typical tableau algorithm pta is very close to all other tableau algorithms: 
pta : A>'’-®^Tableau_algorithm. While [9] proves the decidability of the metric 
logic with the operators E-“C and E>“C (and their duals), nothing is currently 
known about the extension of with all four possible constructors. 
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Abstract. XPath, CTL and the modal logics proposed by Blackburn et 
al. Palm and Kracht are variable free formalisms to describe and reason 
about (finite) trees. XPath expressions evaluated at the root of a tree cor- 
respond to existential positive modal formulas. The models of XPath ex- 
pressions are finite ordered trees, or in the presence of XML’s ID/IDREF 
mechanism graphs. The ID/IDREF mechanism can be seen as a device 
for naming nodes. Naming devices have been studied in hybrid logic by 
nominals. We add nominals to the modal logic of Palm and interpret 
the language on directed acyclic graphs. We give an algorithm which 
decides the consequence problem of this logic in exponential time. This 
yields a complexity result for query containment of the corresponding 
extension of XPath. 



1 Introduction 

This paper is about reasoning in languages interpreted on finite trees and di- 
rected acyclic graphs (DAGs). These finite structures are the core interest in 
both theoretical linguistics (parsing a sentence leads to a finite tree or DAG) 
and in the world of XML databases (an XML document is modeled as a finite 
tree, or in the presence of ID/IDREF attributes as a finite graph). In the field 
of XML databases, a key problem is the equivalence or containment of XPath 
expressions possibly in the presence of a Document Type Definition (DTD). This 
problem can be seen as an instance of the consequence problem in logic. We study 
the complexity of this problem in the setting in which the relevant structures 
are finite trees or DAGs. The language used to describe these structures is the 
modal tree language proposed by Palm [20]. This is a fragment of Propositional 
Dynamic Logic (PDL) with four basic programs corresponding to the four basic 
movements in finite ordered trees: mother, daughter, left sister and right sister. 

The novelty of this paper is the addition of nominals to this language in order 
to simulate XML’s ID/IDREF mechanism, and the generalization of the class 
of models from trees to rooted DAGs. The main result is that the satisfiability 
problem interpreted on rooted DAGs is in EXPTIME. 

We started our work by building a tableau system for a fragment of the 
language. But this system seemed to be horribly inefficient, as it had to build 
a tree from the root. It is straightforward to devise for every natural number n, 
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a satisfiable formula of size 0{n?) whose minimal model is a binary branching 
tree of depth 2", a structure with 2^ many nodes [5]. The known lower bound 
of the satisfiability problem was EXPTIME, so somewhere there was something 
wrong. 

The decision algorithm presented here searches for a pseudomodel of the 
formula to be satisfied. The pseudomodel is such that it can be transformed into 
a finite structure in which the original formula is still satisfied. The pseudomodel 
on the other hand has size bound by just a single exponential in the input. 
Algorithms using pseudomodels are the natural alternative when either tableaux 
do not (or not easy) terminate or when they take more time or space than needed 
to solve the problem. Pseudomodels are often used in decision procedures in 
modal and temporal logic, but also in e.g., the family of guarded fragments, 
see [5] for a number of examples. 

Our work is related to many areas in logic. We mention the most relevant. The 
EXPTIME lower bound of PDL [12] transfers to finite models and our similarity 
type. Upper bounds for (converse) PDL do not transfer to our case, since we are 
working on finite trees and DAGs, whence have a different logic. For instance, 
versions of Lob’s axiom hold on finite trees and DAGs, but fail for PDL. Our 
EXPTIME algorithm uses several features of the one for PDL by Pratt [21]. The 
novelty of this paper is the adaptation of Pratt’s method to the finite case: the 
new part in the algorithm prevents building models with cycles or infinite paths. 
Alternative EXPTIME lower bounds can be extracted from results about XPath 
query containment under DTD’s by Neven and Schwentick [18]. For unordered 
finite trees, complexity results for part of the language can be obtained by an 
interpretation into GTL* [11]. The connection between GTL and XPath is first 
made in [17]. The addition of nominals to the language places this work in the 
tradition of hybrid logic [4]. The algorithm presented here uses as a subroutine 
(cf. Figure 4) the decision procedure for Palms language on finite trees from [6]. 
Alechina, de Rijke and Demri [2] analyze path constraints for semistructured 
data and obtain complexity results by an embedding into converse PDL with 
nominals. The difference with the present work is twofold. Firstly, they consider 
arbitrary graphs as models. Secondly, they consider edge labeled structures, 
while we are interested in node labeled structures (like XML documents). This 
shows in the difference in signatures: we consider just the four basic moves in 
a tree and allow whatever node label (i.e., propositional variable); [2] has no 
propositional variables, but arbitrary edge labels (i.e., atomic programs). 

Organization. The next section presents two modal logics of finite trees and 
establishes the relation to first and second order logic of trees. Then follow two 
sections about XML motivating our work. These two sections are not needed 
to understand the technical part of the paper. After that we concentrate on the 
decision algorithm and its correctness proof. We conclude with a number of open 
problems. 
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2 Modal Logic of Finite Trees 



We first recall the modal logic of finite trees proposed by Marcus Kracht in [14, 
15]. The language will be called Cr- Cr is a propositional modal language iden- 
tical to Propositional Dynamic Logic (PDL) [13] over four basic programs: 

— t and I which explore the left-sister, right-sister, mother-of and daughter-of 
relations. Recall that PDL has two sorts of expressions: programs and proposi- 
tions. We suppose we have fixed a non-empty, finite or countably infinite, set of 
atomic symbols A whose elements are typically denoted by p. £r’s syntax is as 
follows, writing tt for programs and (j) for propositions: 

7T ::= ^1^1 t I i I tt; 7T j 7T U 7T j 7T* j ?(;6 

(j> ■■■■= p \ T \ ^(j) \ (j) A (j) \ 



We employ the usual boolean abbreviations and write [tt\4> instead of 

Cr is interpreted on finite ordered trees whose nodes are labeled with symbols 
drawn from A. We assume that the reader is familiar with finite trees and such 
concepts as ‘daughter-of’, ‘mother-of’, ‘sister-of’, ‘root-node’, ‘terminal-node’, 
and so on. If a node has no sister to the immediate right we call it a last node, 
and if it has no sister to the immediate left we call it a first node. Note that 
the root node is both first and last. The root node will always be called root. 
A labeling of a finite tree associates a subset of A with each tree node. 

Formally, we present finite ordered trees as tuples T = (T, i?|). Here T 

is the set of tree nodes and and are the immediate right-sister and 
daughter-of relations respectively. A pair 971 = (T, P), where T is a finite tree 
and V : A — > Pow(T), is called a model, and we say that P is a labeling function 
or a valuation. Given a model 971, we simultaneously define a set of relations on 
T X T and the interpretation of the language Cr on 971: 









Rtt 


Utz' — Rtt U Rtz' 


R^ = Rz} 






Rtt 


\7z' — Rtt ® Rtt' 


= R% 






R? 


^ ={{t,t)\m,t^cf} 


971, thP 


iff 


t € 


V{p), 


for all p S A 


97l,t ]= T 


iff 


t € 


T 




971, t h 


iff 


971, 


t ^ (j) 




971, t \= cj) A if 


iff 


971, 


t ]= 4> 


and 971, t \= ip 


971, t h 


iff 


3t' 


{tRTrt' 


and 971, C \= (f). 


any formula </ 


i, if 


there is a 


model 971 such that 971, root 



that (j) is satisfiable. 

We note that we could have generated the same language by taking J, and ^ 
as primitive programs and closing the set of programs under converses. We use 
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a number of formulas as abbreviations: 

t ^ root t ^ ^(T)T <1=^ t is the root 

t ^ leaf <1=^ t ^ ^(i)T < 1 =^ f is a terminal node 

t ^ first t ^ ^(<— )T <1=^ t is a first node 

t ^ last t ^ ^(^)T <1=^ t is a last node 

We now discuss the expressivity of this and related languages. First two exam- 
ples: (1) says that every a node has a b and a c daughter, in that order, and no 
other daughters; and (2) says that every a node has a b first daughter followed 
by some number of c daughters, and no other daughters. 

(1) a ^ (1) {first A b A {^) {c A last)) 

(2) a ^ (i)(-(^)T A b A ((^; lc)*)last). 

Ck can express properties beyond the power of the first order logic of ordered 
labeled trees^ For example, it can express the property of having an odd number 
of daughters: {i){first A ((^; ~^)*)last). 

Palm [20, 19] proposed a fragment of Ck which is functionally complete with 
respect to first order logic of ordered labeled trees (an extension of results by 
Schlingloff [24]). There are two equivalent formulations (cf., [6]) of this language, 
which we both denote by Cp. The first is by restricting the set of programs to 

7T ::=^|^| t li I I 7T*. 

The second is more economic in its modal operators and resembles temporal 
logic: let £p be the modal language with the following four binary modal op- 
erators: for 7T € 371, t \= Until Tr{(j), if) iff there exists a t' such 

that tR^+t' and 971, F \= and for all t” such that tR^+t” R^+C it holds that 
971, r h 

Present proposals for XPath [8] don’t go beyond first order expressivity. 
For that reason we focus on £p from now on. We study the complexity of the 
consequence problem: U \= {is (j) true at every state on each finite ordered 
tree on which all of T is true at every state). For finite U, this reduces to 
the satisfiability problem because U \= if and only if it is not the case that 
[i*]r A {i*)-'4> is satisfiable. We will improve on the following theorem: 

Theorem 1 ([6]). The satisfiability problem for Cp is in EXPTIMEf 

We note the remarkable fact that the satisfiability for the equally expressive 
first order logic on finite trees is decidable but with a non-elementary lower 
bound [23]. 

^ That is first order logic in the signature with binary and countably many 

unary predicates, interpreted on labeled ordered trees. 

^ EXPTIME is the class of all problems solvable in exponential time. A problem is 
solvable in exponential time if there is a deterministic exponentially time bounded 
Turing machine that solves it. A deterministic Turing machine is exponentially time 
bounded if there is a polynomial p{n) such that the machine always halts after at 
most 2^^"^ steps, where n is the length of the input. 
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3 XML and XPath 

XML is a new standard adopted by the World Wide Web Consortium (W3C) 
to complement HTML for data exchange on the web. In its simplest form XML 
looks just like HTML. The main difference is that the user can define its own tags 
and specifies a Document Type Definition (DTD) which serves as a grammar for 
the underlying XML document. Figure 1 contains a DTD and an XML document 
that conforms to it. An XML document is most naturally viewed as a finite 
ordered node-labeled tree. The tag-names form the labels of the non-terminal 
nodes and the terminals are labeled with the data (in our example of type CDATA). 
We assume familiarity with these concepts, for an introduction cf. e.g., [1]. XPath 
is a simple language for navigating an XML tree and selecting a set of element 
nodes [7]. It’s grammar resembles the file selection mechanism in UNIX. As 
an example, the XPath expression /a//b[*/c]/g selects nodes labeled with 
g (g-nodes for short) that are children of b-nodes, which have an c-node as 
a grandchild and which are themselves descendants of the root a-node. A clear 
explanation of the semantics of XPath is given in [3]. XPath queries starting 
with the root symbol / can easily be translated into expressions in the positive 
existential fragment of Cp. /a//b [*/c] /g selects the same nodes as 

5 A (t)(6A (i)(i)cA (T*)(aA root)). 



1. <! ELEMENT Collection (Painter+)> 

2. <! ELEMENT Painter (Name, Painting*) > 

3. <! ELEMENT Name CDATA > 

4. <! ELEMENT Painting CDATA> 

<Collection> 

<Painter> 

<Name> Rembrandt </Name> 

<Painting> de Nachtwacht </Painting> 
<Painting> de Staalmeesters </Painting> 
</Painter> 

<Painter> 

<Name> Vermeer </Name> 

<Painting> het Melkmeisje </Painting> 
</Painter> 

</Collection 



Fig. 1. An XML DTD and document 
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DTD’s can also be translated into Ck- The DTD from Figure 1 translates into^ 

Collection {l;7 first; 7 Painter ; 7 Painter)*) last. 

Painter — > {l;7 first; 7 Name; Painting)*) last. 

Name {\,;7first;7 CDATA)last. 

Painting {[;7first;7CDATA)last. 

These translations (which can be performed in polynomial time) make that the 
containment problem of XPath expressions under a DTD can be reduced to the 
consequence problem in the modal logic of finite ordered trees. This problem 
has received quite some attention lately [25, 9, 17, 18]. The situation here is 
quite comparable to that in description logic: an effort is made to map out the 
complexity landscape for a great number of XPath fragments. The result which 
is of interest here is that query containment under a DTD is EXP TIME hard 
for XPath expressions in which one can use /,//,! or / ,//,[] ,*. When the 
non-deterministic operators // , I , * are left out (leaving only / , [] ) the problem 
is complete for CO-NP. Both results are in [18]. 

Theorem 1 now yields a matching upper bound for a large extension of these 
XPath fragments. Note that XPath statements correspond to existential positive 
modal formulas. But Theorem 1 works for the whole modal language which is of 
course closed under full negation, but also can express until-like constructions. 
We can now consider queries like 

— select all A that only have B children; 

— select all couples with a completely Greek descendant line (in a genealogy 

tree in which nationality is coded). 

The first uses negation, the second the until construction. 

The part of the landscape that has been investigated until now views XML 
documents as trees. But in the presence of XML’s ID/IDREF mechanism they 
are really graphs. We turn to these models in the next section. 



4 From Trees to DAGs 

So far we have discussed XML documents as if they were trees. But XML con- 
tains a mechanism for defining and using references and, hence for describing 
graphs rather than trees. XML allows the association of unique identifiers to 
elements as the value of a certain attribute. These are attributes of type ID, 
and the referencing is done with an attribute of type ID REF. How this is done 
exactly is not important for our discussion. Figure 2 contains a DTD"*’ using this 

® This DTD translates to C.p. But we need Ck to translate a rule like <! ELEMENT 
Collection (Painter ,Painting)+>. For lack of space we cannot give the translation 
algorithm. For that see [16]. 

^Instead of the official but rather cumbersome, <! ELEMENT Countries 
(State,City*)> we simply write the equivalent context free grammar rule 
Countries (State , City* ) . 
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countries 

state 

city 

capitol_of 

name 



— > (state (id) *, city* ) 
— + name 

— + (name,capitol_of ) 
— > state(idref) 

CDATA . 



<countries> 

<state ID=A1> 

<name Holland /> 

</ state> 

<city> 

<name Amsterdam /> 
<capitol_of IDREF=A1 /> 
</ city> 

</ countries> 



Fig. 2. A DTD and an XML document with ID/IDREF 



country 




name capital_of name 



Holland Amsterdam 

Fig. 3. Acyclic graph for the document in Figure 2 



mechanism, and a document which conforms to it. The corresponding acyclic 
graph is drawn in Figure 3. More abstractly, the models we consider are node 
labeled graphs in which the nodes may have a unique name besides their label. 
In modal logic names for states are known as nominals and modal logics con- 
taining names are referred to as hybrid logics [4] . In a modal language a nominal 
is nothing but a special propositional variable which can only be true at exactly 
one state. Modal languages with the Difference operator D can express that p 
behaves like a nominal by stating (here Ecj> abbreviates 4> V D^) : 

E{p A ^Dp). 

The difference operator D is defined by 971, t |= Dcf> iff there exists a, t' ^ t such 
that 971, t' 1= 4>. On finite ordered trees E^(j) is term definable as 

D<t> = {i+)4> V {]+)4> V (T*; (^+ u ^+); i*)4>. 

So in a sense, we have nominals in our modal language. But a referencing 
mechanism on trees is not very interesting nor can we make the connection with 
the XML graph models. Instead of interpreting the modal language of trees on 
arbitrary graphs we decided to make a smaller move, remaining as close to trees 
as possible. Here’s the definition. We call a directed acyclic graph (DAG) {N, R^) 
rooted if there exists an r G A^ without ancestors and r is the ancestor of each 
n G N. Note that a rooted DAG is a tree if every node except the root has exactly 
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one parent. It is useful to distinguish nodes with one parent from nodes with 
multiple parents. The latter correspond to nodes with a name. For NOM C N, 
we call a structure {N, Ri, NOM) a nominalized rooted DAG (NDAG for short) 
if {N, Ri) is a rooted DAG and all elements in A^\ {NOM U {root}) have exactly 
one parent. 

The restriction to NDAG’s is rather natural from an XML point of view, 
and similar in spirit to the restriction to trees encountered in the literature. 
Depending on certain syntactic properties of the DTD, we can restrict the class 
of models accordingly. If the DTD contains no ID/IDREF only trees have to be 
considered. If the DTD does not specify a cycle of naming and referencing only 
NDAG’s need to be considered. This we will do in the next section. 

We note that on DAGs there are strictly less validities than on trees. For 
instance, (|; })cj) ^ ^ is valid on trees but not on DAGs. Moreover Ck is not 
strong enough to capture all first order properties of NDAG’s. For instance, 
3yzw{y yf z AxR[y AyRiw AxR^z AzRiw) is not expressible by an Ck formula 
as an easy bisimulation argument shows. Of course on trees, this formula is not 
satisfiable, whence simply expressible by T. 



5 Deciding the Modal Logic 

of Finite Rooted Nominalized DAGs 

At present we do not know the complexity of the full PDL language nor of Palms 
fragment with nominals on ordered DAGs. We make a restriction common in the 
literature on XPath query containment and remove the two sister axis® from the 
language Cp. To this language we add a modal constant id and nominals and 
interpret it on NDAG’s. Formally, there is a special set of propositional variables 
called nominals. On an NDAG {N, R^, NOM) each nominal is interpreted as 
a singleton subset of NOM. The interpretation of the modal constant id is 
exactly the set NOM. We call the resulting logic Cdag^ ■ The Cdag consequence 
problem consists of all pairs (T, x) with R U {x} a finite set of Cdag formulas 
such that T 1= X on finite NDAG’s. 

The following three validities are noteworthy. (3) states that all nominals are 
interpreted in the set NOM] (4) that there are no cycles and (5) that nodes 
which are not in the set NOM have at most one parent. 

(3) i id for i a nominal 

(4) i “’(i'*')* for i a nominal 

(5) Md ^ [?]()>)■ 

® On ordered DAGs the interpretation of the sister relation is problematic: shonld they 
share one or all parents? In the former case the tree validity — > [<— * U — 

does not hold. In the latter, we cannot mark hrst and last nodes anymore. We note 
that without the sister axis DTD’s cannot be expressed anymore. Thus the present 
result only yields a decision procedure for XPath root queries without a DTD. 

® Hybrid logics usually have besides nominals also the satisfaction operator @. Here 
we do not add it because @i4> is term definable as ('['*)(root A A ifi)). 
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Theorem 2. The Cdag consequence problem is in EXPTIME. 

The proof consists of a linear reduction and a decision algorithm. The reduction 
removes the transitive closure operation by adding new propositional symbols. 
Similar techniques are employed in [22, 10] for obtaining normalized monadic 
second order formulas. The reduction is most simply presented in the formulation 
of Palms language using the until operators. 

Let X € C.DAG- Let Cl{x) be the smallest set of formulas containing all 
subformulas of Xi the constants root and leaf, and which is closed under taking 
single negations and under the rule: UntilT^{<j),il}) G Cl{x) ^ tp A Until G 

cKx)- 

We associate a formula V(x) with x as follows. We create for each (p G Cl{x), 
a new propositional variable q^j,. Now V(x) “axiomatizes” these new variables as 
follows: 

qp 

q^4> ^ ^90 

Q Until U ^ {iiT}- 

Lemma 1. (i) Eor every model which validates V(x), for every node n and 
for every subformula (p G Cl{x), 971, n ^ q^ iffi)Jl,n |= cp. 

(a) Thus for all x,x & U dag, ’ll holds that X \= X ^(7 x)j ?7 H 9x- 

The proof is by induction on the structure of the formula, and for the left to right 
direction of the until case by induction on the depth of direction of tt. Note that 
it is crucial that the models are finite and acyclic. Also note that this reduction 
does not work (at least not directly) for formulas of the form ((|; |)*)(/) or even 

Finally note that the right hand side of the statement in Lemma l.(ii) con- 
tains only diamonds of the form ("[) and (|). As the reduction is linear we can 
thus decide the consequence problem for this restricted language. 

We will now give an EXPTIME algorithm that on input formulas 7 , x decides 
whether there exists a model 971 in which 7 is true everywhere and x is true at 
the root. To this the consequence problem reduces because 7 x i® there exists 
a model in which 7 A (p ~^x V (i)p) is true everywhere and p is true at the 
root. Here p is a new propositional variable whose intended meaning is (i*)~'X- 

Preliminaries. The next notion is well known. Hintikka sets are used to label 
nodes of models with a set of formulas which are supposed to be true at that 
node. The first condition ensures that 7 and T are true in every node. The other 
two ensure the correct behaviour of the Booleans. 

Definition 1 (Hintikka Set). Let A C C^({7 ,x})- We call A a Hintikka Set 
if A satisfies the following conditions: 
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1. 'y G A and T G A. 

2. If 4>G C/({ 7 ,x}) then (j) G A iff ^(j) ^ A. 

3. If 4> Atjj G C/({ 7 , x}) then cj) Atp G A iffcfGA and if G A. 
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Let HS{'y,x) denote the set of all Hintikka Sets which are a subset of Cl{'j,x)- 
Note that |iLS'( 7 ,x)| < 

For H a set of Hintikka sets, let I : H — > {0, 1, . . . , |iL|} be a function 
assigning to each A G H a level. We call a structure {H, 1) an ordered set 
of Hintikka sets. For notational convenience we introduce a binary relation on 
Hintikka sets specifying that it is not directly inconsistent that the two sets 
stand in the parent relation in the tree: For A, B Hintikka sets, A child B holds 
if 

1. 1{A) > 1{B) 

2. for all {i)tp G Cl{(j)), it tp G B, then (Dtp G A ; 

3. for all (t)'0 G Cl{(p)^ ii p) G A, then {fip; G B; 

4. it id ^ B then also for all {f)tp G Cl{<p), (t)'0 € B implies ip G A. 

The definition of saturation is the crucial one in any mosaic style proof. Infor- 
mally it states that a set of Hintikka Sets is large enough to build a model from. 
In the temporal logic literature, the diamond formulas in Hintikka set are called 
unfulfilled eventualities. 

Definition 2 (Saturation). Let {H,l) be an ordered set of Hintikka sets. We 

call {H, 1) down- saturated if for all A G H , (|)(^ G A only if there exists a 

B G H such that (p G B and A child B. 

We call {H,l) up- saturated if for all A G H containing id, {'\)(p G A only if 
there exists a B G H such that cp G B and B child A. 

We call (H,l) saturated if it is both up and down saturated. 

The next definition specifies when an ordered saturated set of Hintikka sets 
can be turned into an NDAG. 

Definition 3. We call an ordered saturated set of Hintikka sets (H,l) rooted 
and nominalized if 

1. There is exactly one A G H with root G H, and for every nominal i G 
CL({ 7 ,x}) there exists exactly one Ag H such that i G A. 

2. ( everyone has a predecessor) For every B in H there is a path Cq, . . . ,Ck of 
Hintikka sets in H with B = Ck such that 

(a) root G Cq 

(b) Cj child Cj+i. 

We can now make the connection between satisfiability and the existence of 
certain sets of Hintikka sets. 

Lemma 2. The following are equivalent: 

1. There exists a model over a finite NDAG in which 7 is true everywhere and 
X is true at the root; 
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2. There exists a rooted nominalized saturated ordered set of Hintikka Sets 
with H C HS{"f,x) there is an A £ H with {root,x} Q A. 

Proof. First assume 971 is a model over a finite NDAG in which 7 is true 
everywhere and x is true at the root. For each node t define At = {ijj €: 
Clix, x) I t H '*A}- Obviously each At is a Hintikka set and there is an A with 
{root, x} Q A. Let H be the set of all such At. Inductively define the level func- 
tion on H. First define which Hintikka Sets are of level 0: I {A) = 0 if leaf G A. 
Next, suppose the j-th level is defined. First define: Sj = [A & H \ 1{A) < j}. 
Next, for A G 1(A) = i -I- 1 if 971, root |= (i*)(A A VsgSj ^)- K is 

not hard to show that (iL, 1) is ordered, saturated, rooted, nominalized and Aroot 
contains root and x- 

Now assume (H, 1) is a rooted nominalized saturated ordered set of Hintikka Sets 
and there is an Aroot G H with {root,x} Q Aroot- For each nominal i, let At be 
the Hintikka Set containing i. Let T = (T, i?|) be a tree with root to of depth 
l(Aroot) and branching width |iL|. The function depth(-) measures the depth of 
nodes in the tree (with depth(to) = 0). Let h : T — > H he a, partial function 
satisfying 

root h(to) = Aroot- 

max if tR^t' and h is defined on t and t' , then h(t) child h(t'). 
min if h(t) child B then either there exists a t' £ T such that ti?xt' and h(f) = 
B, or B contains a nominal. 

nom for each nominal i G Cl({x, %}) there exists exactly one t such that h(t) = 
Ai and for any t', h(t') child At implies that depth(t) > depth(t'). 

It is straightforward to show that such h can be defined (by a step-by-step 
construction for instance). Now we turn T into an NDAG. First let T' be the 
largest subtree of T on which h is total. Second, let T" be T' with the following 
arrows added: 

if h(t) child h(t') and depth(t) < depth(t') and id G h(t'), then add tRit' . 

We claim that (T" , NOM) with NOM = {t \ id £ h(t)} is a rooted NDAG 
satisfying 

up-min if B child h(t') and id £ h(t'), then there exists a t such that tRit' and 
h(t) = B. 

nom-min if h(t) child B and B contains a nominal, then there exists a t' £ T 
such that tRit' and h(t') = B. 

By construction (T" , NOM) is a rooted NDAG. To show up-min, assume 
that B child h(t') holds. Then 1(B) > l(h(t')). By Definition 3.2 there exists 
a path Aroot child . . . child B, say of length k. Whence, by min, there exists 
a node t with h(t) = B and depth(t) = k. By max, the depth of t' must be 
strictly larger than k because 1(B) > l(h(t')). Thus an arrow from t to t' has 
been added. The proof for nom-min is similar. 
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begin 

L 



{A G Choice{j,x) \ leaf G A}; 
Choice{-y,x)\ L; 

L; 

0 ; 



Pool 



S 

k 

1 



{{A, k) \ A € L} ; 



do L 
L 



/0 



{A e Pool I (SU{A},lU(A,k + l)) 



s 

k 

1 



Pool 



is a down — saturated ordered set of 
Hintikka Sets } ; 

Pool \ L; 

SUL; 

k+1; 

1 U {{A,k) I A G L} 



od 



end 



Fig. 4. The algorithm elimination of Choice {'x x) 



Let V{p) = {t \ p G h{t)}, for p a nominal or a propositional variable. Then 
= {T'\NOM,V) is a model, because every nominal is true at exactly one 
node in NOM. 

We claim that DJI \= x and Tl,to |= X- By assumption y G h{to) and 7 is in 
every Hintikka set, thus it is sufficient to prove the truth lemma 

for all € CL{x, x)j for all nodes t, 9Jt, t\= if ii and only ii if £ h{t). 

The base case is by definition of V . The case for id is by definition of NOM. The 
boolean cases are by the conditions on Hintikka sets. The left to right direction 
for both modalities follows from max. The other direction for {l)if and {f)if 
follows from min, nom-min and up-min and saturation. 

The algorithm. We now describe the algorithm for finding a saturated, ordered, 
rooted and nominalized set of Hintikka Sets. It consists of five different stages. 
Let 7, X be the formulas for which we decide the existence of a model in which 
7 holds everywhere and x fo the root. 

(1) Create Hintikka Sets The algorithm creates HS{x,x)- HS{x,x) con- 
tains sets of size 0(|7 A xP)- 

(2) Choose Named Elements Choose a set NAMED C HS{x,x) having a 
Hintikka set containing x and the root symbol root and exactly one Hintikka 
set containing the nominal i for each i G CL{x, x)- 

There are at most \HS{x, x)l ' • ■ • ’ \HS{x, x)\ (as many as there are nominals 
in 7 Ax plus one) many choices, that is at most \ Let Choice{x,x) 

be NAMED U HS{x, x) \ G HSfx, x) I ^ contains a nominal or root}. 

(3) Create Down— Saturated Ordered Set Run the algorithm from Fig- 
ure 4. 
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Lemma 3. 1. Elimination of Choice(^,x) terminates after at most \HS\ 
rounds of the do loop. 

2. The statement “(S, l) is a down-saturated ordered set of Hintikka sets” 
holds after the do loop. 

Proof. (1) The bound function of the do loop is the size of Pool which is 
being reduced in every round, or the loop terminates because L= 0. The 
initial size of Pool is bounded by \HS\. 

(2) Because the statement “Choice{x,x) ~ Pool W S and (S,l) is a down- 
saturated ordered set of Hintikka sets” holds before the do loop and is an 
invariant of the do loop. 

(4) Make (H,l) Rooted Let (H,l) be the output (S,l) of the previous stage. 
Delete all elements from H for which condition 2 in Definition 3 does not 
hold. 

(5) Test Let (iL, Z) be the output of the previous stage. Check whether (iL, Z) 
contains a Hintikka set A with root G A and x G H. Check whether (iL, Z) 
is up-saturated. And check whether (iL, Z) contains for each nominal i G 
Cl{x,x) ^ Hintikka set containing i. 

Lemma 4. If all these checks succeed, {H,l) is an up and down-saturated 
rooted and nominalized ordered set of Hintikka sets. 

The algorithm succeeds iff there is a choice in stage 2 for which the checks in 
stage 5 succeed. 

The algorithm is correct by Lemma 2. Let us check that the algorithm runs 
in time exponential in the length of the input. The first stage is clear. For the 
second stage it has to perform the rest of the algorithm for at most ^ 

many choices. So it is sufficient to show that stages 3-5 can be performed in 
exponential time. The algorithm of stage 3 terminates after at most x)l ^ 

20(l7,xl) rounds of the do loop. As in [21], the tests inside the do loop take time 
polynomially bounded by \HS{xtX)\- Thus stage 3 takes time exponentially 
bounded by |7,xl- If is clear that stages 4 and 5 can all be performed in time 
polynomially bounded by \HS{-j,x)\- Thus the algorithm is in EXPTIME. 

6 Conclusions 

We have given an exponential time decision algorithm for a modal language 
with nominals interpreted on finite rooted nominalized DAGs. This is -as far 
as we know- the first result which yields a decision algorithm for XPath query 
containment in the presence of XML’s ID/ID REF referencing mechanism. 

Obviously the algorithm is not that easy to implement, so that’s a next 
research question. Another question is whether we can get the same exponential 
upper bound if we interpret the language with both sibling axis on ordered 
NDAG’s. 
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The function h defined in the proof of Lemma 2 is almost a surjective bounded 
morphism (the zag direction might break for from Hintikka sets not contain- 
ing id). This leads us to conjecture that a slight improvement of that Lemma 
can be used to prove a completeness theorem for this logic. At present no ax- 
iomatization is known. 
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Abstract. Decomposable negation normal form (DNNF) was developed 
primarily for knowledge compilation. Formulas in DNNF are linkless, in 
negation normal form (NNF), and have the property that atoms are not 
shared across conjunctions. Full dissolvents are linkless NNF formulas 
that do not in general have the latter property. However, many of the 
applications of DNNF can be obtained with full dissolvents. Two addi- 
tional methods — regular tableaux and semantic factoring — are shown 
to produce equivalent DNNF. A class of formulae is presented on which 
earlier DNNF conversion techniques are necessarily exponential; path 
dissolution and semantic factoring handle these formulae in linear time. 



1 Introduction 

The last decade has seen a virtual explosion of applications of propositional logic. 
One emerging application is knowledge compilation: preprocessing the underlying 
propositional theory. While knowledge compilation is intractable, it is done once, 
in an off-line phase, with the goal of making frequent on-line queries efficient. 
Both the off-line and on-line phases are considered in this paper. 

Horn clauses, ordered binary decision diagrams, tries, and sets of prime im- 
plicates/implicants have all been proposed as targets of such compilation — see, 
for example, [1, 2, 10, 14, 23, 24]. Some of these target languages employ nega- 
tion normal form (NNF), although most research has restricted attention to 
CNF. This may be because the structure of NNF formulae can be surprisingly 
complex. A comprehensive analysis of that structure can be found in [16] and 
in [18]. That analysis includes operations on NNF formulae that facilitate the 
use of NNF in systems. 

Decomposable negation normal form (DNNF), the subject of this paper, is 
a class of formulae studied by Darwiche [4, 6]. They are linkless, in negation 

* This research was supported in part by the National Science Fonndation under grant 
CCR-0229339. 
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normal form, and have the property that atoms are irot shared across conjuirc- 
tions. Every DNNF formula is automatically a full dissolvent — the eird result 
of applying path dissolution to a formula uirtil it is linkless. Full dissolvents are 
linkless NNF formulas, but in general they may share atoms across conjunc- 
tions. Nonetheless, many of the applications of DNNF depend primarily on the 
linkless property and are both available and equally efficient with full dissol- 
vents. Moreover, full dissolvents can be advantageous both in time and in the 
size of the resulting formula. In particular, a class of formulae is presented on 
which the methods of [4, 6] require expoireirtial time and space to obtaiir DNNF. 
The full dissolveirt cair be obtaiired in liirear time, is in DNNF, aird is actually 
smaller thair the original formula. Two additioiral methods are shown to yield 
a DNNF equivaleirt of their iirput formulas. Regular tableaux can handle airy 
set of clauses, and semantic factoring works on any formula whatsoever. More- 
over, semantic factoring is shown to produce DNNF equivalents of the class of 
formulae alluded to above in linear time. 

Knowledge compilation is in some sense a harder problem than SAT. A SAT 
solver need only produce a yes-no answer, possibly with a satisfying assignment. 
On the other hand, to compile a propositional theory, one often requires the 
result to represent all satisfying assignments (or all consequences) of the theory. 
Thus, computing the full dissolvent or the DNNF equivalent of a formula will 
answer the question of satisfiability but may also incur more overhead thair a SAT 
solver. On the other hand, progress with SAT solvers might not contribute to 
progress in knowledge compilation. 

A brief summary of the basics of NNF formulae, their two-dimensional rep- 
resentation, and path dissolution is presented in Section 2; greater detail can 
be found in [18]. Operations that are useful with DNNF formulae are discussed 
in Section 3, along with efficient counterparts for full dissolvents. In Section 4, 
regular tableaux and semantic factoring are described as methods for conversion 
to DNNF. Some concluding remarks and suggestions for future work are made 
in Section 5. 



2 Background 

2.1 Path Dissolution and Negation Normal Form 

Path dissolution [18] is an inference mechanism that works naturally with for- 
mulae in negation normal form. It is stroirgly complete in the sense that airy 
sequence of link activations will eventually terminate, producing a linkless for- 
mula called the full dissolvent. The paths that remain are models of the original 
formula. Full dissolvents have been used effectively for computing the prime im- 
plicants and implicates of a formula [22, 23]. Path dissolution has advantages 
over clause-based inference mechanisms, even when the input is in CNF, since 
CNF can be factored, i.e., put into more compact NNF with applications of the 
distributive laws. The time savings is often significant, and the space savings can 
be dramatic. 
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Formally, a logical formula is said to be in negation normal form if A and V 
are the only (binary) connectives, and if all negations are at the atomic level. The 
structure of NNF formulae can be surprisingly complex, and it is convenient to 
represent formulae in NNF in a two-dimensional format, sometimes called a se- 
mantic graph}. 



C 

A \/ D 

_ _ A 

((CAA)VD)A(AV(BAC)) = A 

B 

Ay A 

c 

Formula Semantic 

Graph 

Two literal occurrences are said to be c-connected if they are conjoined within 
the formula (and d-connected if they are disjoined within the formula). For ex- 
ample, the literals D and C are c-connected. A c-path (d-path) is a maximal 
set of c-connected (d-connected) literal occurrences; the semantic graph in the 
figure contains four c-paths: {C, A, A}, {C, A, B, C}, {£>, A}, and {D, B, C}. Of 
these, {C, A, A}, and {C, A, 5,(7} are unsatisfiable. A link is a complementary 
pair of c-connected literals; in the figure, {A, A} and {C, C} are links. 

There are several inference rules that use paths and links. Path dissolution 
is one that works with formulae in NNF and is especially well suited for the 
propositional case. Dissolution operates on links in a formula by restructuring 
the formula so that all c-paths through the link are eliminated. Since the num- 
ber of links is finite, the (linkless) full dissolvent must eventually be produced. 
Dissolution can be defined intuitively as follows (see [18] for a precise definition): 
Suppose the formula B contains the conjunction Q AH with A in Q and A in Ti. 
Let CPE{A,Q) (the c-path extension of A in Q) be the part of Q that contains 
all c-paths through Q that contain A, and let CC{A,Q) (the c-path complement 
of A in Q) he the part of Q that contains all c-paths through Q that do not 
contain A. Similarly define CPE{A,T-L) and (7C'(A,7d) in 7d. Then dissolution 
on the {A, A} link replaces Q AJi va P with 

cPE{A,g) cc{A,g) cc{A,g) 

A V A V A 

CC{A,H) CC(A,n) CPE{A,H) 

It is easily seen that the formula above is equivalent to (and has the identical 
set of c-paths as) each of the more succinct constructions: 



^ Good sources for descriptions of that structure — and to get an idea of how complex 
that structure can be — are [16] and [18]. 
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G CC(A,g) CPE{A,G) CC{A,G) 

A V A and A V A 

CC(A,n)) CPE(A,H)) CC(A,H) H 

Consider the link {A, A} in the formula T in the figure below: All c-paths 
through it are unsatisfiable. Dissolving on that link restructures the graph as 
indicated in the figure. Note that the dissolvent contains precisely the c-paths 
that miss either A or A (or both) . Repeated applications of dissolution eventually 
produce the full dissolvent, FD(JF), which has no unsatisfiable c-paths. 

C C 
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T Dissolvent w.r.t A} FD(lF) 



2.2 Factoring and the Prawitz Rule 

There is growing evidence that restriction to clause form can be a serious limita- 
tion. The NNF representation of a formula often has a considerable space advan- 
tage. There are efficient satisfiability preserving translations to clause form from 
NNF, but they are not equivalence preserving. On the other hand, many CNF 
formulae can be factored into an NNF equivalent that is exponentially smaller. 
Factoring a formula means applying the distributive laws so as to combine mul- 
tiple occurrences of subformulae. With logical formulae, since two distributive 
laws hold, both conjunctive and disjunctive factoring can be done; conjunctive 
factoring is the more useful by far with inference operations that are based on 
(conjunctive) links [19]. 

An automated deduction system that employs clause form cannot factor for- 
mulae since the factored formula will in general not be in clause form. On the 
other hand, any technique that uses NNF can factor, and, if the technique is path 
based, factoring may improve performance since it (often substantially) reduces 
the number of c-paths as well as the formula’s size. When factoring was added 
to Dissolver [18], a dissolution-based system, a dramatic speedup was achieved 
with every propositional formula that was input in clause form. (The time to 
factor the input was included in the running time.) 

Recall that a unit resolution step (at the ground level) produces a resolvent 
that is smaller than and subsumes the larger parent. Resolving a pair of two- 
literal clauses will create a clause no larger than the parents. These particular 
cases of resolution are often given high priority because they tend to limit or 
even reverse the growth of the formula. 
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There are similar cases for ground dissolution, and the payoff is even more 
dramatic. One is unit dissolution, which arises when Q consists of a single lit- 
eral A. Then CC{A,Q) is empty, and the dissolvent of the link {A, A} in the 
subgraph ^ A is ^ A CC{A,Tl). Observe that the effect of dissolving is to 
replace TC by CC{A,'H), and that CC{A,TC) is formed by deleting A and any- 
thing directly conjoined to it. Hence no duplications whatsoever are required, 
and both the size of the formula and the number of c-paths are reduced. 

Another special case of dissolution is the Prawitz rule. Let the smallest con- 
junction containing the link {A, A} he Q /\ Ti, with A in Q and A in H. If G /\'H 
has the form on the left, then it may be replaced by the formula on the right; 
this is called the Prawitz Rule.^ 

A \J G' A A 

A A V A 

A vn' W G' 



The size of the formula is unchanged, and the c-path through the link {A, A} 
is removed. But also removed are all c-paths through both G' and Ti.'. When G' 
and PL' are large, the reduction in c-paths is enormous, and the Prawitz step is 
far superior to an ordinary dissolution step. In addition, as with any dissolution 
step, the linked literals change from being c-connected to being d-connected. 
But note that the (potentially large) subformulae G' and PL' have also become d- 
connected. This would not be the case in a routine dissolution step, and thus 
the Prawitz rule pushes the formula more aggressively towards DNNF. 

It might appear that the requirements for applying the rule are so strong 
that there are likely to be few opportunities to employ it. But note that the case 
in which G' and PL' are each a disjunction of literals is merely that of two linked 
clauses. Thus, for a CNF formula, there are many opportunities (initially) for 
application of the Prawitz rule. Moreover, the judicious use of factoring along 
with the Prawitz rule on CNF formulas will speed progress without increasing 
the size of the formula. 

Combining factoring and the Prawitz rule can be particularly effective for 
constructing a DNNF equivalent of a set of clauses. Given any set S of clauses, 
let Sa be the subset consisting of those clauses containing either A or A, and 
let S' = S — Sa- Factoring out A and A from their clauses in Sa, produces the 
NNF formula on the left in Figure 1. 

Factoring has created a single link to which the Prawitz rule applies. The 
result (with S' included) is the formula on the right in Figure 1. Factoring plus 
the Prawitz rule may be applied to the CNF subformulas. But note that variables 

^ The descriptions here of both path dissolution and the Prawitz Rule focus on single 
links, but both rules have been defined to operate on multiple links under appropriate 
circumstances — see [18]. 
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Lm2 V ... V Lmn 

Fig. 1. Factoring on A\ for the Prawitz Rule 
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(other than A) will in general be shared between S' and the other parts of the 
formula. Thus, unlike in the initial operation, not all occurrences of a variable can 
be factored into one occurrence. One way to solve this problem is to distribute 
the conjunction with S' across the disjunction, creating a disjunction of two 
CNF formulas. In fact, any NNF formula can be multiplied out to CNF (or to 
a disjunction of CNF formulas), but avoiding this is precisely the reason for 
focusing on NNF. 

Observe that the initial application of factoring plus Prawitz is equivalent to 
applying the following identity, which holds for any formula Q, to Sa- 

g = {Asg[TRUE/A]) V (AAg[FALSE/A]) 

where g[B/A\ denotes the replacement of all occurrences of atom A by B in g. 
Observe that any formula g may be replaced by the formula on the right. In 
fact, this rule, called semantic factoring, can be applied to any subformula and, 
in particular, to the smallest part of the formula containing all occurrences of 
the variable being factored. The term semantic factoring reflects the fact that 
all occurrences of the atom A within the subformula under consideration have in 
effect been ‘factored’ into one positive and one negative occurrence. In addition 
to the conditioning operation discussed in Section 3.1, both the original Prawitz 
Rule [20] and Step 4 in Rule III of the Davis-Putnam procedure [8] are closely 
related to semantic factoring. 

3 Decomposable Negation Normal Form 

Let atoms (iF) denote the atom set of a formula T . An NNF formula F (possibly 
containing boolean constants) is said to be in decomposable negation normal 
form (DNNF) if T satisfies the decompos ability property: If a = ai A 02 A ...a„ is 
a conjunction in T, then i ^ j implies that atoms(ai) natoms(aj) = 0; i.e., no 
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two conjuncts of a share an atom. Observe that a DNNF formula is necessarily 
linkless since a literal and its complement cannot be conjoined — after all, they 
share the same atom. The structure of formulae in DNNF is much simpler than 
the more general NNF. As a result, many operations on DNNF formulae can be 
performed efficiently. Of course, obtaining DNNF can be expensive, but if this 
is done once as a preprocessing step, the “expense” can be spread over many 
queries. 

3.1 Conjoining Literals and Conditioning 

A useful operation presented in [6] is conjoining a literal L (or, iteratively, a set 
of literals) to a knowledge base K, while preserving whatever normal form K, may 
have. If 1C is in DNNF and contains occurrences of L or of L, then /C A L is no 
longer in DNNF. The conditioning operation, denoted (/C|L), produces an equiv- 
alent DNNF: Replace all occurrences of L in /C by TRUE and all occurrences 
of L by FALSE and conjoin the result to L. This produces a formula that is 
equivalent to JC A L and is easily seen to be in DNNF. The operation is linear in 
the size of JC. 

Suppose now that /C is a full dissolvent. The conjunction (JC A L) may have 
links between 1C and L. For each such link a unit dissolvent can be generated that 
removes the c-extension of L in JC, in effect substituting false for L throughout 
JC. This leaves occurrences of L but removes all links. Thus, a full dissolvent 
results, and literal conjoining via unit dissolution preserves full dissolvents just 
as conditioning preserves DNNF. It is worth noting that if 1C happens to be 
in DNNF, there are semantic graph-based tools that not only enable literal 
conjoining but also result in a DNNF formula.^ 

3.2 Testing for Entailment 

One of the most fundamental types of queries is whether a knowledge base JC 
logically entails a clause C. If so, then of course (JC A ~^C) is unsatisfiable. Since 
~^C is a conjunction of literals, JC may be conditioned on each literal in ^C, and 
the entailment test amounts to a satisfiability test on the resulting formula. 

A DNNF formula can be tested for satisfiability in linear time. The reason 
is that the test can always be performed independently on subformulae. For dis- 
junctions, this is true for any NNF formula: the formula is satisfiable if and only 
if at least one of its disjuncts is. However, a conjunction may be unsatisfiable 
even if all of its conjuncts are (separately) satisfiable. But this is not true for 
DNNF because the conjuncts do not share variables. The satisfying interpreta- 
tions of different conjuncts cannot conflict, and so can be combined into a single 

® The occurrences of L in /C left behind by unit dissolutions on L violate DNNF but 
form conjunctive anti-links [21] with L. Activating these with the appropriate anti- 
link operator removes the d-extension of occurrences of L in Al, which has the effect 
of replacing L by TRUE. So with unit dissolution and anti- links, (JC A L) can be 
converted into an equivalent DNNF formula. 
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satisfying interpretation for the entire conjunction. This independence for both 
disjunction and conjunction yields a linear satisfiability test for DNNF imme- 
diately. (Note that the truth constants TRUE and FALSE are allowed in the 
formula; otherwise, the test would be in constant time.) 

Full dissolvents, on the other hand, do share variables across conjunctions. 
Nonetheless, entailment can be determined in linear time. For any formula JC, 
IC \= C iS ICA^C is unsatisfiable. In particular, if /C is a full dissolvent, K, contains 
no links, and all links in /C A go between /C and ~^C. Unit dissolutions on 
those links strictly decrease the size of the formula. Each operation is no worse 
than linear in the amount by which the formula shrinks. So the sum total of 
a series of unit dissolutions can require no worse than time linear in the size 
of JC. Activating all links results again in a linkless formula. If this formula is 
non-empty, the absence of links implies that it is satisfiable. (With dissolution, 
we usually assume that truth constants are simplified away; if not, then the 
additional analysis used for DNNF applies.) 

For implementation purposes, there is a better approach. We need not actu- 
ally perform the unit dissolutions on JC. The next theorem is proved in [22]. 

Theorem 1. In any non-empty formula JC in which no c-path contains a link, 
every implicate of JC is subsumed by some d-path of JC. □ 

As a result, a clause C can be tested for entailment as follows: First, mark 
all complements of literals of C in /C and call the resulting subgraph JC^. Then 
determine whether JC^ contains a full d-path through JC. This computation can 
be done in a recursive manner analogous to the satisfiability test for DNNF. A 
marked literal is a d-path from JC-^ through itself, and an unmarked literal con- 
tains no d-path from JC-^. JCq contains a d-path through a conjunction if there 
is one through one of the conjuncts, and it contains a d-path through a disjunc- 
tion if there is one through each of its disjuncts. Although this is a somewhat 
informal description, the algorithm is easily seen to be linear in the size of JC. 

3.3 Projection 

If A is a set of atoms, then an A-sentence is defined to be a formula, all of 
whose atoms come from A. An A-literal is a literal whose atom is in A, and 
an A-literal is a literal whose atom is not in A. In this paper, we assume all 
A-sentences to be in NNF. If IF is a formula, then the projection of JF onto A, 
denoted Project {JF, A ) , is defined to be the formula produced by substituting 
true for each A-literal (whether it occurs positively or negatively) in J-.'^ 

The next theorem is proved in [6] for DNNF formulae and generalized here to 
arbitrary linkless formulae. The path-based proof below is considerably simpler 
than the one in [6] . Observe that when a formula contains the constants true and 
false, the formula can easily be simplified to an equivalent formula that contains 
no constants, and for most implementation purposes, this is desirable. For the 

These definitions come from [6], although the definition of projection is stated dif- 
ferently there. 
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proof of the theorem, however, it is more convenient to assume the projection is 
not so simplified. 

Theorem 2. If is a linkless formula, if T = Project (iF, yl), and if (3 is an 
Fl-sentence, then F \= j3 T \= 13. 

Proof. Suppose first that T \= (3\ i.e., that T A ->/3 is unsatisfiable. We must 
show that r \= (3\ i.e., that F A ~^/3 is unsatisfiable. It suffices to show that 
every c-path p through F A -i/3 contains a link or the constant false. Let p be 
the path through T A ->/3 corresponding to p\ i.e., p contains the same Fl- literals 
as p but has the Fl-literals that were replaced by true in F . Since T A ->[3 is 
unsatisfiable, p contains a link or the constant false. If p contains the constant 
false, then p must also contain the constant since false cannot be introduced 
into a formula by the projection operation. If p contains a link, since T is linkless, 
that link must contain one literal from T and one from -i/3 or both from -i/3. 
But [3 and thus ->/3 is an Fl-sentence, so that link must exist on p. 

Conversely, suppose that F \= (3', i.e., that F A -^(3 is unsatisfiable. We must 
show that F A ^(3 is unsatisfiable. Let p be a path through F A -■/3, and let p be 
the corresponding path through F A ->/3. Then p contains a link or the constant 
false, and that link or constant must also be in p since every literal in p is also 
in p. □ 

Note that the second half of the proof made no use of the properties of F, 
and so that half of the theorem is valid for any NNF formula. Hence, 

Corollary.If F is any NNF formula, if F = Project (F, Fl), and if (3 is an 
yj-sentence such that F \= (3, then F \= j3. □ 

Projection can be quite useful for handling queries over a fixed subset A 
of the variables in a compiled knowledge base JC. Depending upon JC and A, 
Project (/C, Fl) may be much smaller than 1C and yet entails exactly the same 
Al-sentences entailed by JC. So queries based on entailment that are confined to A 
can be processed correspondingly more efficiently. Furthermore, since projection 
preserves structure and introduces no new atoms, it also preserves the DNNF or 
the linkless status of formulas. Yet none of these observations make full use of 
the corollary above. 

Project(lF, A) is missing atoms from F and so may be linkless or in DNNF 
even if F is not. After such a case has been identified, queries confined to A 
for which the projection provides an affirmative answer are in effect answered 
without compilation at all, even if the knowledge base 1C is arbitrary NNF. 
Furthermore, if the projection does not have the desired normal form, it still 
entails the same subset of the A-sentences entailed by /C. If it is much smaller 
than 1C, then compiling the projection will likely be much more efficient than 
compiling IC, and the compiled version of the projection can then be used to 
provide answers for that subset of queries. Since only the projection need be 
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compiled, if compilation is required at all, this provides a very efficient sound 
but not complete query answering method.^ 

Various queries from planning, diagnosis, and Boolean circuit analysis are 
naturally confined to subsets of the knowledge base variables [6] . With the theo- 
rem and corollary above, projection seems to be a promising technique for these 
situations. 

4 Compilation Techniques 

Full dissolvents provide efficiency equal to that of DNNF for the operations 
discussed so far. Furthermore, compiling to DNNF will sometimes create a much 
larger formula than will computing a full dissolvent. However, there are several 
operations that are efficient for DNNF, and that cannot obviously be handled 
efficiently with full dissolvents. In this section, after a brief discussion of several 
of these operations, alternative techniques for producing DNNF are introduced. 

An NNF formula T is smooth if for every disjunction /3 = /3i V . . . V /3„ in IF, 
atoms(/3) = atoms(/3i), 1 < i < n. A formula f3 can be smoothed as follows: 
Let Bi =atoms(/3)— atoms(/3i), 1 < i < n. For each i, form the conjunction 
Ap^ggr(pz V pi) and conjoin it with /3i to produce and call the resulting 
disjunction (3' . This operation is polynomial (roughly quadratic), preserves both 
equivalence and DNNF, and produces a smooth (3' . Smoothness is convenient 
for minimization, discussed below. 

The minimum cardinality of a formula T is defined to be the minimum num- 
ber of negated atoms in any satisfying model. If the formula is in DNNF, this 
can be computed in linear time because the computations on subformulas are 
independent. The algorithm is a straightforward recursion, but the disjointness 
of atom sets across conjunctions is crucial. The minimization of a formula T is 
a formula F, all of whose models are minimum cardinality models of T . When 
F is a smooth DNNF, B can be computed in linear time by merely dropping 
from all disjunctions those disjuncts whose minimum cardinality is greater than 
the minimum cardinality of the disjunction. Minimum cardinality and minimiza- 
tion (and thus smoothness) have applications in model-based diagnosis and in 
planning [.5]. 

Two techniques for compiling a formula into DNNF are regular tableaux and 
semantic factoring. The first is a restriction of the tableau method developed 
by Letz [12, 13]; the second was defined in Section 2.2. It is a variant of Dar- 
wiche’s conditioning [6] and is closely related to earlier methods of Prawitz [20] 
and of Davis and Putnam [8]. Semantic factoring is polynomial on the class C" 
of formulas defined in Section 4.2. The compilation techniques in [6] are expo- 
nential for C"; they do employ conditioning, but the intractability is not due to 
conditioning itself. 

® This is an efficient approach that is similar to the approximate compilation defined 
in [6], in which some atoms are ignored. There, the restriction to a given atom set 
occurs during the compilation of K.. 
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4.1 Regular Tableaux 

There are variations — all minor — in the way different authors define the 
tableau method. One issue is whether the initial formula is part of the tableau. 
Letz [12], for example, brings subformulas into the tableau only after the ap- 
plication of a beta rule. The definition below forms an initial tableau with the 
original formula, which is convenient for formulas in negation normal form. While 
the difference is minor, it does have some effect. For example, unit clauses are 
handled differently. It should also be noted that many authors do not restrict 
attention to clause form. Three of the many good references for the tableau 
method are [25, 9, 3]. 

There is a natural correspondence between tableau proof trees and semantic 
graphs, and, since our goal here is to produce DNNF formulas, it is convenient 
to cast tableaux in terms of semantic graphs. The generation of the tableau 
from a formula in NNF requires the usual a, j3 and closure rules. We restrict 
attention here to sets of clauses because it is far from obvious how to obtain 
DNNF from an arbitrary NNF formula using tableaux. With that restriction, a 
rules are unnecessary. 

Definition. A tableau for a set (conjunction) of clauses S = {Ci, C 2 , ..., C„} is 
a tree representing a semantic graph. The root is unlabeled, and the remaining 
nodes are labeled with clauses or literals. 

1. The tree consisting of a single branch on which the nodes are labeled with 
the clauses of S is the initial tableau. 

2. If T is a tableau, a new tableau may be obtained by conjoining to a leaf in 
T the disjunction of the literals of any clause in T. This is the beta rule or 
beta extension. Each of the extending literals thus becomes a leaf. 

3. If a beta rule produces a leaf whose literal is the negative of a literal labeling 
a node already on that branch, the branch is marked closed. This is the 
closure rule. 

4. A beta extension of path 6 is regular if none of the resulting leaf literals also 
label a node of 6. A tableau is said to be regular if every extension used to 
produce it is regular. 

5. A clause may be deleted from the tableau if the resulting tableau is logically 
equivalent. 

Note that it is never useful to extend unit clauses, and we assume for the 
remainder of the discussion that such unit extensions are never done. Further- 
more, we consider a node on the initial branch labeled with a unit clause to be 
in effect labeled with the literal of that clause. 

A tree branch is the conjunction of its nodes but may also be viewed as 
a collection of c-paths. That view makes it easy to see that a closure amounts 
to dissolving on the link consisting of the leaf literal and its negative along the 
branch that enabled the closure. We call a tableau closed if every branch has 
been closed and note that a closed tableau may be interpreted as the empty 
clause. We call a tableau complete if every node is labeled with a literal. Thus, 
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closed tableaux are complete (all clauses are in effect deleted) and represent 
unsatisfiable formulas. Observe that the branches in a complete tableau are 
single c-paths. 

Complete tableaux are interesting when a formula is satisfiable. In particular, 
a complete regular tableaux is in DNNF. The reason is simple: Regularity ensures 
that no literal occurs more than once along a single branch, and all conjunctions 
in a tableau are represented by branches. Note that completeness is required for 
DNNF; otherwise, a literal and a clause containing the literal might appear on 
the same branch. 

One way to obtain a complete tableau is to extend each clause along every 
branch and then delete it. In general, however, such tableaux are not regular. 
However, as the next theorem demonstrates, if we apply all possible regular ex- 
tensions to every non-unit clause, then we do obtain a complete, regular tableau; 
i.e., we do obtain DNNF. 

Theorem 3. Let 5 = {Ci,C 2 , ...,Cn} be a set of clauses, and let T be the tableau 
obtained by applying all possible regular extensions to each non-unit clause 
and then deleting the clause. Then T is a complete, regular tableau logically 
equivalent to S. In particular, T is a DNNF equivalent of S. 

Proof. Proceed by induction on n, the number of clauses in 5. If n = 1, the 
result is trivial, so suppose it holds for all clause sets with at most n clauses, 
and suppose S has n-l- 1, say S = {Ci,C 2 , ...,C„+i}. 

If S' = {Ci,C 2 , ...,C„}, then the induction hypothesis applies to S'; i.e., if we 
apply all possible regular extensions to each non-unit clause in S' and delete the 
clause, the resulting tableau T' is complete, regular, and logically equivalent to 
S' . Applying the same operations to S produces a tableau identical to T' 
but with Cn+i on the initial branch. Let T be the result of applying all possible 
regular extensions of Cn+i in and then deleting it. Let T* be the result of 
extending Cn+i on all branches in (whether or not the extension is regular) 
and then deleting it. 

The proof will be complete if we show that T is logically equivalent to S. 
Since T' is logically equivalent to S' , and since 7)(+i = S' A Cn+i = S, T* is 
logically equivalent to S. Thus, it suffices to show that every branch in on 
which an irregular extension is performed in producing T* is subsumed by one of 
the extensions. Let b = {pi,p 2 , be (the node labels of) any such branch. 

Thus, for some i, pi G Cn+i- As a result, if / is an interpretation satisfying 6, 
then I also satisfies the branch {pi,p 2 , ...,pk,Pi} in T*. □ 

4.2 Semantic Factoring 

One disadvantage of using regular tableaux to produce DNNF, shared by the 
methods of [6], is the reliance on CNF for the initial formula set. In this sec- 
tion, repeated application of semantic factoring, as introduced in Section 4.2, is 
shown to produce DNNF from any formula; i.e., no normalization whatsoever is 
required. Recall that the method is based on the identity: 

g = {AAg[TRUE/A]) V (A A G[FALSE/A]) 
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where Q\BjA\ denotes the replacement of all occurrences of atom Ahy B in Q. 

It is immediate that the formula on the right has the decomposability prop- 
erty with respect to atom A. Applying this identity iteratively over the atom set 
of Q will thus produce a DNNF equivalent of Q. 

There will of course be formulas on which semantic factoring is exponential. 
(We consider the size of a formula to be the number of literal occurrences.) Since 
applying the rule seems to almost double the formula, one might suspect that in 
fact it is always exponential. This is not the case, however, because the rule may 
be applied to any subformula. In particular, subformulas that do not share atoms 
would clearly be processed more efficiently when processed independently. The 
reason is that when factoring on atom A in any part of Q that is sufficiently 
‘far away’ from A will occur twice in the result. (For NNF, subformulas outside of 
both the c-extension and the d-extension of A-literals are sufficiently far away.) 
Note also that for conversion to DNNF, even formulas that do share variables 
may be processed independently if they are d-connected. 

Consider C„, the complete formula on n variables: C\ is A\ A Ai, and Cn+i 
is defined by taking two copies of C„, adding A„+i to each clause in one copy 
and An+i to each clause in the other copy. The formulas that result are in CNF. 
Handling these formulas efficiently is somewhat uninteresting because they are 
as large as their truth tables. They are also unsatisfiable and compile to false. 
However, any proper subset of C„ is satisfiable. 

Let C™ be any subset of containing m clauses. Then C'f has n clauses of n 
literals each, and all clauses have identical atom sets. A typical member Q of 
C" is depicted on the left in Figure 2, where the atom set is {Ai, A 2 , . . . , A„} 
and Lij = Aj or Lij = Aj, 1 < *, j < n. Furthermore, we assume that Ln = 
Ai, 1 < i < fc, and that Ln = Ai,fc-|-1 < i < n. The situation is essentially 
that of Figure 1 except for the assumptions about the atom set. If we apply 
semantic factoring to G on Ai, the formula on the right in Figure 2 results. It is 
a disjunction whose arguments are each essentially in CNF (except for Ai and 
for Ai which play no further role). 



Ai V Li2 V ... V Lin Ai Ai 



A 



V 



A 

Li2 V ... V Lin 



Ai V Lk2 V ... V Lkn 



ifc + 1,2 V ... V Lk + l,n 



Ai V ifc+ 1,2 V ... V Lk+i,n 



L„2 V ... V L, 



'nn 



Lk2 V ... V Lkn 



^1 V Ln2 V ... V L: 



'nn 



Fig. 2. Semantic Factoring on Ai 
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Notice that the size of the formula after semantic factoring has not increased. 
In fact, the number of literal occurrences has decreased by n — 2. (If n = 1, this is 
an increase but is irrelevant since the formula is already in DNNF.) Furthermore, 
two disjoined clause sets remain, one a member of and the other a member 
of . Each set can be processed independently, and the above analysis applies. 
Hence, this procedure produces DNNF in linear time, and the resulting DNNF 
is smaller than the original formula. This proves 

Theorem 4. The class of CNF formulas can be compiled into DNNF in 
linear time and space with semantic factoring. □ 

The methods introduced in [6] rely on a recursive decomposition of the initial 
clause set, in effect inducing partitions of increasing rank. When single clauses 
are encountered, they are returned (perhaps partially evaluated) as already in 
DNNF. But in all other cases, we have a conjunction of DNNF formulas, and 
this triggers an iterative conditioning operation over all instances of certain 
atom sets. These atom sets are pruned in recursive invocations for efficiency. 
But in the initial calls, they amount to the intersection of the atom sets of 
the initial partion’s blocks. For the examples above, any two clauses share the 
same n atoms, and so an 0(2") process results.® The output is a disjunction 
in which each of 2" disjuncts is either TRUE or FALSE conjoined with one of 
the 2" instantiations of the variable set. Unfortunately, the constant is TRUE 
in all but n cases, creating exponentially large output regardless of whether the 
constants are removed through simplification. 

We note here that in combination with (ordinary algebraic) factoring and 
the Prawitz Rule, dissolution is also linear on and produces DNNF. This 
is easy to see from Figure 2. We simply factor out both Pi and Pi from the 
clauses where they occur; the resulting single link admits the Prawitz rule, and 
the result is exactly that of Figure 2 on the right. 

Corollary. Path dissolution methods are sufficient to compile the class C!^ of 
CNF formulas into DNNF in linear time and space. □ 

5 Future Work 

Tableaux inference systems are plentiful, and many can be set to obey regularity. 
Therefore, a closer look at the efficiency of regular tableaux for compiling to 
DNNF is merited. We conjecture that this method will turn out to be at least 
as efficient as those of [6]. 

Another question that remains is whether path dissolution can be guided so 
as to produce full dissolvents that are in DNNF. In some sense, the answer is yes, 
since dissolution can be viewed as a generalization of tableaux in which use of 

® In [6], a class of formulas is discussed for which the treewidth, a measure of the degree 
to which clauses share atoms, is unbounded, yet the methods there are quadratic. 
It turns out that both semantic factoring and dissolution are also quadratic on this 
class, and the full dissolvent produced by dissolution is in DNNF. 
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the distributive laws is avoided fully or partially. A more precise, deterministic 
answer is likely to provide insights useful for knowledge compilation. 



Acknowledgement 

The authors are indebted to the reviewers for their careful reading of the paper; 
a number of corrections and improvements resulted. 



References 

[1] Bryant, R. E., Symbolic Boolean manipulation with ordered binary decision dia- 
grams, ACM Computing Surveys 24, 3 (1992), 293-318. 165 

[2] Cadoli, M., and Donini, F.M., A survey on knowledge compilation, AI Commu- 
nications 10 (1997), 137-150. 165 

[3] D’Agostino, M., Gabbay, D. M., Hahnle, R., and Posegga, J., Handbook of Tableau 
Methods, Kluwer Academic Publishers, 1999. 175 

[4] Darwiche, A., Compiling devices: A structure-based approach, Proc. International 
Conference on Principles of Knowledge Representation and Reasoning (KR98), 
Morgan-Kaufmann, San Francisco (1998), 156-166. 165, 166 

[5] Darwiche, A., Model based diagnosis using structured system descriptions. Jour- 
nal of A. I. Research, 8, 165-222. 174 

[6] Darwiche, A., Decomposable negation normal form, J.ACM4&,A (2001), 608-647. 
165, 166, 171, 172, 174, 176, 178 

[7] Darwiche, A. and Marquis, P., A knowledge compilation map, J. of AI Research 
17 (2002), 229-264. 

[8] Davis, M. and Putnam, H. A computing procedure for quantification theory. 
J.ACM 7, 1960, 201-215. 170, 174 

[9] Fitting, M., First-Order Logic and Automated Theorem Proving (2"‘* ed.), 
Springer- Verlag, New York, (1996). 175 

[10] Forbus, K. D. and de Kleer, J., Building Problem Solvers, MIT Press, Cambridge, 
Mass. (1993). 165 

[11] Goubault, J. and Posegga, J. BDD’s and automated deduction. Proceedings of 
the 8^^ International Symposium on Methodologies for Intelligent Systems, Char- 
lotte, NC, Oct. 1994. In Lecture Notes in Artificial Intelligence, Springer- Verlag, 
Vol. 869, 541-550. 

[12] Letz, R., First-order calculi and proof procedures for automated deduction, 
Ph.D. dissertation, TU Darmstadt, 1993. 174, 175 

[13] Letz, R., Mayr, K. and Goller, C. Controlled integration of the cut rule into con- 
nection tableau calculi. Journal of Automated Reasoning 13,3 (December 1994), 
297-338. 174 

[14] Marquis, P., Knowledge compilation using theory prime implicates, Proc. In- 
ternational Joint Conference on Artificial Intelligence (IJCAI) (1995), Morgan- 
Kaufmann, San Mateo, California, 837-843. 165 

[15] Murray, N. V. and Ramesh, A. An application of non-clausal deduction in diagno- 
sis. Proceedings of the Eighth International Symposium on Artificial Intelligence, 
Monterrey, Mexico, October 17-20, 1995, 378-385. 

[16] Murray, N. V. and Rosenthal, E. Inference with path resolution and semantic 
graphs. J. ACMS4,2 (1987), 225-254. 165, 167 



180 Neil V. Murray and Erik Rosenthal 



[17] Murray, N. V. and Rosenthal, E., Reexamining tractability of analytic tableaux, 
Proc. of the 1990 Symposium on Symbolic and Algebraic Computation, 1990, 52- 
59. 

[18] Murray, N. V., and Rosenthal, E. Dissolution: Making paths vanish. J.ACM 40,3 
(July 1993), 504-535. 165, 166, 167, 168, 169 

[19] Murray, N.V., and Rosenthal, E. On the relative merits of path dissolution and 
the method of analytic tableaux, Theoretical Computer Science 131 (1994), 1-28. 
168 

[20] Prawitz, D. A proof procedure with matrix reduction. Lecture Notes in Mathe- 
matics 125, Springer- Verlag, 1970, 207-213. 170, 174 

[21] Ramesh, A., Beckert, B., Hahnle, R. and Murray, N. V. Fast subsumption checks 
using anti-links. Journal of Automated Reasoning 18,1, Kluwer, 47-83 (1997). 171 

[22] Ramesh, A., Becker, G. and Murray, N. V. CNF and DNF considered harmful for 
computing prime implicants/implicates. Journal of Automated Reasoning 18,3 
(1997), Kluwer, 337-356. 166, 172 

[23] Ramesh, A. and Murray, N. V. An application of non-clausal deduction in diag- 
nosis. Expert Systems with Applications 12,1 (1997), 119-126. 165, 166 

[24] Selman, B., and Kautz, H., Knowledge compilation and theory approximation, 
J.ACM 43,2 (1996), 193-224. 165 

[25] Smullyan, R. M., First-Order Logic, second corrected edition, Dover Press (1995). 
175 



A More Efficient Tableaux Procedure 
for Simultaneous Search for Refutations 
and Finite Models 



Nicolas Peltier 
Leibniz-IMAG 

46, Avenue Felix Viallet, 38031 Grenoble, France 
Nicolas . Peltier@imag.fr 



Abstract. We describe a (many-sorted) tableaux procedure that has 
the following properties: it is sound, refutationally complete and com- 
plete for finite satisfiability (i.e. the procedure terminates if the formula 
has a finite model). As for standard tableaux methods, models can be 
extracted from finite open branches. As similar existing procedures, our 
method relies on a modified 5-rule allowing to reuse existing variables 
occurring in the same branch. An original notion of complexity mea- 
sure is introduced in order to control the application of this rule (which 
is potentially time consuming). The procedure is semantically guided: 
an interpretation (provided by the user) is used for pruning the search 
space. This interpretation is refined dynamically during proof search until 
a model or a contradiction is found. The method has been implemented 
and some preliminary experimental results are presented. 



1 Introduction and Motivations 

Tableaux calculi (see for example [7]) are based on the following principle: they 
try to enumerate the (possibly infinite) interpretations potentially satisfying the 
considered formula. To this purpose, a tree labeled by first-order formulae is con- 
structed, using expansion rules reflecting the semantics of the logical symbols. 
Each branch in the tree can be associated to a representation set of a potential 
model of the formula. Branches are closed when a contradiction is found, which 
indicates that the interpretation corresponding to the branch does not satisfy the 
formula at hand. Branches that cannot be closed correspond to models. These 
procedures are very natural and rather close to human reasoning, which makes 
them suitable for interactive theorem proving. They can be easily adapted to 
specific syntaxes. Moreover, if a tableaux procedure terminates without detect- 
ing a contradiction, then it provides as a by-product a model of the formula at 
hand. This is an advantage over resolution calculi in which no model is explic- 
itly constructed. Additional post-processing algorithms have to be designed for 
extracting models from clause sets that are saturated under resolution, which is 
possible only in some particular cases (see for example [6]). 

Unfortunately, tableaux procedures seldom terminate, due to the fact that 
infinite open branches (i.e. infinite models) can be generated. This is true even 
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if the formula does have finite models, because no effort is made to minimize the 
interpretation constructed during the search. Consider for example the formula 
(j) = {p{ao, oi) A {Vx, y){p{x, y) (3z)p(?/, z))). 

4> has an obvious finite model {p(ao, oi),p(ai, uo)}. Standard tableaux calculi 
will generate the following branch: 

{p{ao, ai),p{ai,a 2 ),p{a 2 , 03 ), . . . ,p{ai, 0 ^+ 1 ), . . .}. 

At each step i € N, the 7 rule instantiates the formula (Vx, y)p{x, y) 
{3z)p{y, z) with the substitution a; ^ a^, ?/ — > a^+i which produces the formulae 
Oi+i) {3z)p{ai+i^ z) and (by modus ponens, after closing the branch cor- 
responding to ^p{ai,ai+i)) (3z)p{ai+i, z). To handle the existential quantifier, 
a new constant symbol 0^+2 satisfying the desired property is introduced, which 
produces the atom p(oi+i, 0 ^+ 2 )- This last step is an application of the so-called 
(5-rule, that can be formulated as follows (c denotes a new constant symbol, not 
occurring in the branch). 



{3x)(j){x) 

(j){x c} 

If no mechanism is added to detect potential loops, the process will con- 
tinue for ever, yielding the following (infinite) model: {p(ai,ai+i) \ i € N}. 
Note that using skolemization would produce exactly the same result: the exis- 
tential quantification (3z)p{y,z) would be replaced by the formula p{y,f{x,y)) 
(where / denotes a new function symbol) and an infinite branch of the form 
{p(ao,ai),p(ai,/(ao,ai)),p(/(ao,ai),/(ai,/(ao,ai)))), . . .} will be generated. 
The use of unification delays the application of the substitution but does not 
affect the termination behaviour of the proof process. 

Of course this is not a problem for refutational completeness since such 
branches will eventually be closed in case the formula is unsatisfiable. How- 
ever, if one want to use the tableaux procedure for satisfiability detection and 
model building, the generation of infinite branches should be avoided if possible. 

The solution is to adapt the (5-rule in order to make it more flexible. The 
standard rule systematically introduces new constant symbols in the branch. 
Allowing to “reuse” existing symbols may reduce the size of the model and can 
avoid divergence. This rule, usually called the 5*-rule [13], can be formalized 
as follows (c denotes a new constant symbol, not occurring in the branch and 
{ci, . . . , c„} are symbols occurring in the branch). 

(^x)(t){x) 

((){x Cl} I TT I (j){x Cn} I 4>{X c} 

The branches corresponding to the constants Ci are called “ghost” in [10] and 
the branch corresponding to c is said to be “primary” . 

For refutational completeness it is sufficient to assert that the formula (p 
can be fulfilled by a variable c, possibly distinct from all the constants already 
occurring in the branch. But for model building and satisfiability detection, it 
may be useful to check whether (p could be fulfilled by an existing constant 
symbol. Note that the ghost branches should be explored before (or in parallel 
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to) the primary branch. It is clear that if the primary branch can be closed then 
the ghosts can be closed too. 

Using the modified (5-riile instead of the standard one preserves soundness 
and refutational completeness. Moreover, it also guarantees that the procedure 
is complete w.r.t. finite satisfiability, i.e. if a formula has a model on a domain 
of finite cardinality then the tableau has a finite branch. To the best of our 
knowledge, this idea was first introduced in [10] (see also [13]) for providing an 
alternative to Me Carthy’s circumscription [15]. The goal was to minimize the 
models constructed by the tableau procedure in order to define a notion of con- 
sequence closer to natural reasoning (the notion of mini-consequence). In [20], 
a similar idea to used for designing a calculus for “proving unprovability” i.e. for 
checking that a given formula has a finite model. It is shown that this procedure 
is complete for finite satisfiability but the possibility of combining it with the 
search for refutation was not investigated. A procedure combining the two fea- 
tures (search for refutations and finite models) is presented in [3] . It is designed 
for a subclass of first-order logic, the so-called Positive Formulae with Restricted 
Quantification (or PRQ-formulae for short) that has exactly the same expres- 
sive power as first-order logic. Note, however, that these procedures have been 
investigated only for first-order logic without function symbols. The extension to 
the functional case has ~ to the best of our knowledge - never been considered. 
Clearly the <5*-rule is of no use if the formula is in skolem normal form. From 
a theoretical point of view this is not a problem since the adding of function 
symbols does not increase the expressive power of first-order logic. But in case 
the formula already contains function symbols, a pre-processing normalization 
step is required to “flatten” the terms and replace all function symbols by rela- 
tions. Clearly, this normalization is not very natural. Moreover, it can reduce the 
efficiency, since one has to specify the properties of the “functional” predicate 
symbols (e.g. introduce axioms such as (Vyi, . . . , j/„)(3a;)p(yi, . . . , y„, x) ensuring 
that the interpretation of p is a function) instead of encoding them into the proof 
procedure itself. Moreover, it is clear that the systematic construction of ghost 
branches will often increase the size of the tableaux hence will reduce efficiency. 
This is due to fact that - if we want to insure that the procedure is complete 
w.r.t. finite satisfiability - all the ghost branches have to be closed before the 
primary branch is considered (otherwise some finite models may be missed) . On 
the other hand, the use of the S* rule is not always useful. In many cases, the 
primary branch itself is finite (either because it is closed or because it corre- 
sponds to a finite model). In this case, the exploration of the ghost branches is 
simply useless. In order to overcome this problem it is worthwhile to investigate 
whether one can formulate tractable criteria allowing to decide - given a formula 
{3x)4> occurring in a branch - which of the two rules, the S and d* rule is to 
be applied. Applying systematically the 5-rule insure refutational completeness, 
but some finite models may be missed hence completeness for finite satisfiability 
is lost. On the other hand, using only the 5*-rule ensure that the procedure is 
complete both for refutation and finite satisfiability, but introduces redundant 
branches in the search space, which reduces efficiency. Is it possible to control the 
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application of the 5*-rule is such a way that completeness for finite satisfiability 
is preserved and that (some) redundant branches are removed ? 

The present paper is an answer to these problems. We propose a tableaux 
procedure using both the S and (5*-rule in such a way that the use of 6* is 
avoided when it is possible, which improves the performance. In contrast to 
the approaches mentioned before [20, 10, 13, 3] this procedure can handle any 
first-order formula with function symbols (possibly containing equational liter- 
als) without any normalization step, which avoids having to introduce artificially 
additional predicate symbols for denoting functions. A-priori normalization of 
the original formula (such as skolemization, transformation into clause normal 
form or PRQ-formulae) is avoided. Moreover, an original feature of our proce- 
dure is that it uses an interpretation (fixed arbitrarily before the beginning of 
the search) in order to prune the search space, by discarding some applications 
of the expansion rules. The idea of using semantics for pruning the search space 
of proof procedures is rather old and has been thoroughfully investigated. The 
Geometry Theorem Proving machine described in [8] used a figure in order to 
prune the search space. [18] formalized this idea in the context of the resolution 
calculus and defined the notion of “semantic strategy” in which an interpreta- 
tion is used for discarding useless applications of the Resolution principle. This 
strategy has been extensively used in Automated Theorem Proving and often 
appears to be very efficient (note that hyperresolution is a particular case of 
semantic resolution). [17] described a proof calculus where an interpretation is 
used to cut some branches and choose the right instantiation of the variables. 
[16] (see also [5]) proposes a deduction procedure based on clever grounding 
of the clause sets in which the giving of an interpretation plays a central role 
(together with ordering restrictions). Model Generation Theorem Provers (such 
as SATGHMO [14, 4], MGTP [9] or Hyper-Tableaux [2]) combine the hyper- 
resolution rule with instantiation and splitting for building models of sets of 
clauses. Semantics are used to prune the search space, in the sense that only the 
instances that are falsified by the interpretation corresponding to the branch are 
considered for applying the y-rule (see for example [1] for more details). The pro- 
cedure FINIMO [3] can be seen as an extension of these techniques to first-order 
formulae containing existential quantifiers but without any function symbols. In 
some sense, our method extends these last approaches by considering arbitrary 
interpretations and arbitrary first-order formulae. The models constructed by 
our procedure are built by starting from an arbitrary interpretation (which is 
assumed to be given) and by “refining” it dynamically until a model is found 
(or a contradiction is detected). 

Due to space restriction, the proofs are omitted (they can be found on 
http : //www-leibniz . imag.fr/ATINF/Nicolas . Peltier/). 
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2 Preliminaries 

In this section we briefly review the basic deflnitions and notations that are 
necessary for the understanding of our work. We assume familiarity with the 
usual notions in Logic and Automated Theorem Proving (see for example [7]). 

We assume given a set of sort symbols S, a set of function symbols S and a set 
of variables V. Each variable is associated to a unique sort s and each function 
symbol / S A is associated to a unique profile of the form si x . . . x ^ s, 
where si, . . . , s„, s are sort symbols. The fact that / has profile P is denoted 
hy f : P. The set of terms of sort s and the set of first-order formulae are 
defined as usual on the set of function symbols P, the set of variables V using 
the (unique) predicate symbol « and the set of logical symbols V, A, V, 3. 

Note that we assume that the formulae contain no predicate symbol other than 
Quantifications on a variable of sort s are denoted by (Va: : s)(j) and (3x : s)(j) 
respectively. In order to simplify notations, 4>{x) will frequently denote a first- 
order formula containing x as the only free variable. Then (fit) denotes the 
formula obtained by replacing the variable in (f by t. 

The notions of interpretation, model, validity, etc. are defined as usual. The 
truth value of a formula tp in an interpretation I over a variable assignment a 
is denoted by If </> contains no free variable, then cjy^ denotes the truth 

value of 4> in X (ct is not needed) . 

Positions are (possibly infinite) sequences of natural numbers that will be 
used to denote branches in a tableau or subterms in a term, e denotes the empty 
position and p.q denotes the concatenation of the positions p and q. We write 
p ^ 5 iff p is a prefix of q. The notion of position in a term is defined as usual. 
If s, t are terms and p is a position in t, then t[s]p denotes the term obtained by 
replacing the subterm at position p in t by s. 

We assume that E contains an infinite (countable) number of constant sym- 
bols of each sort noted T>s and that Cg is an (arbitrarily chosen) element of T>s- 
Elements of T>s are usually called the skolem constants (in order to distinguish 
them from the original constants occurring in the formula) . They will be used to 
define the domains of the interpretation constructed by the proof procedure. We 
treat them as constant symbols in order to simplify notations. We assume given 
a precedence A on skolem constants and an injective function a mapping each 
term t of sort s (resp. each closed formula of the form (3cc : s)(p{x)) to a constant 
symbol c S T>s strictly greater than any skolem constant occurring in t (resp. in 
(fix)). 

A substitution is a function mapping each variable to a term of the same 
sort. As usual substitutions can be extended to terms, formulae etc. The image 
of a term (resp. formula) t by a substitution a is denoted by ta. 

An interpretation X of a set of functional symbols E' is said to be canonic 
iff the domain of the sort s is included into X>s, i.e. if for all s G 5, C T>g and 

^ This is not restrictive because non equational formulae such as p{x) could be replaced 
by equations of the form p(x) ~ true, where true is a new constant symbol of sort 
boolean. 
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for all skolem constant c G if', c? = c (note that T,' may be a proper subset of 
E hence does not need to contain all the elements of Vs). 

A term t is called a disconnected subterm of s if t can be obtained from s 
by removing some of the positions in s. For example /(a), /(&) are disconnected 
subterms of f{g{a,b)). More formally, the set of disconnected subterms of s is 
inductively defined as follows. (1) t is a disconnected subterm of t; (2) if t is 
of the form /(ti, . . . ,tn) and s is a disconnected subterm of one of the U (1 < 
i < n) then s is a disconnected subterm of t; (3) if t is of the form /(ti, . . . , tn) 
and for all i G [l-.n], Si is a disconnected subterm of ti then f{s\, . . . ,Sn) is 
a disconnected subterm of t. This notion can be extended straightforwardly to 
first-order formulae (for example (Va::)(^p(a::)) is a disconnected subformula of 
(Va;)(3j/)^(p(a;) Vp(y))). 

A complexity measure C is a function mapping each term and formula to 
a natural number and satisfying the following properties: 

- if t is a disconnected subterm (resp. subformula) of s and t ^ s, then C{t) < 
C{s). 

- for any natural number k, there exists a finite number of formulae and terms 
of complexity lower than k (i.e. the set {t \ C{t) < k} is finite). 

- for any c G 2?, if c = a{t) then C(c) = C{t) (see above for the definition of 
the function a). 

Our notion of complexity measure is closely related to the notion of atomic 
complexity measure as defined in [11]. However, it will be used for very different 
purposes: [11] introduces this notion for proving termination of the hyperreso- 
lution calculus on particular subclasses of first-order logic, whereas our notion 
of complexity measure is used in the core of the proof procedure, to restrict the 
application of the inference rules. 

We need to introduce the following notation. Informally, (w standing 

for “witness”) is essentially identical to 4>, excepted that existential quantifica- 
tions of the form (3a: : s)ip occurring in (j) are replaced by the stronger formula 
il){x — > Cs} (note that witness formulae are used only for detecting redundan- 
cies, not for proof search). Note that since we want to avoid normalization, we 
must also take into account the fact that subformulae may occur on the scope of 
a negation symbol (or more generally under an odd number of negation symbols). 

Let 0 be a formula. We denote by w+((/)) (resp. w~{(j))) the formula defined 
as follows: 

- w+{(j}) =def w~{4>) =ief (/) if (/) is atomic. 

- w+l4> V ijj) =de/ w+{4>) V w+(V’), w+{4> A tjj) =de/ w+{4>) A w+{tjj). 

- W+{^(j)) W+{cj) ^ V') =defW~{lp) ^ 

- '0) A u&{il})) V A ~^w~ (tp)). 

- w+{(3x : s)4>) 4>{x Cs}, w“(0 ^ 0) w+(0) ^ w~{ip). 

- w+{pix : s)0) (Vx : s)w+(0), w“(0 V 0) w~{4>) V w-{pj;). 

- A 0) W~{lp) A W“(0), W“(-'0) ^W+(0). 

- ur{(j) AA 0) =de/ {w~{(jji) A w~{^p)) V (-iw+(0) A ^w+(0)). 

- -u;“((3a: : s)0) (3a; : s)w“(0), -u;“((Va: : s)0) w“(0{a; ^ c^}). 
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It follows from the definition than expresses a stronger property than 

the original formula </>, e.g. that ^ is a logical consequence of i.e. we have, 

for any interpretation I, HI \= w'^ (</>) then I \= (jj and if X ^ w~ (</>) then I ^ (j). 

Clearly, the definition of does not depend on the terms occurring in 

(j) (that are merely copied without any modification) but only on the boolean 
structure of the formula. Therefore, given a formula (j) and a substitution cr, 
it is equivalent to apply the substitution a to (j) and then to compute the for- 
mula w~^{(j)a) or to apply the substitution a to This is expressed by the 

following: 

Proposition 1. Let tp he a formula and a a substitution . w~^{(j}a) = u&{(p)a. 

3 Proof Procedure: The S-TAB-RFM{X, C) Calculus 

In this section we present our tableaux calculus for simultaneous search for refu- 
tations and models. This calculus, called S-TAB-RFM{I,C), (for Semantically 
guided Tableau Procedure for Refutation and Finite Model Construction) is 
parametrized by an interpretation I and by a complexity measure C. I and C 
will be used to prune the search space by discarding some applications of the 
expansion rules. Both I and C may be chosen arbitrarily. For instance we can 
choose for I an interpretation mapping each term t of sort s not occurring in T>s 
to Cg. Alternatively, I can be provided by the user together with the problem 
to solve^. Similarly, several distinct complexity measures can be used resulting 
in different behaviours of the proof procedure. In our current implementation, 
we use the most simple complexity measure: the one based on the depth of the 
considered term (resp. formula). Precisely, this measure is defined as follows: 

- for any c € if c = a{t) then C(c) = C{t) (this follows from the definition). 

- C(/(ti, . . . ,t„)) =de/max{C(ti) I i G [l..n]} -|- 1. 

- Cip-kij;) =i,fTaa,x{C{(l)),C{ip)) -I- 1 (if * S {v. A, <t^}). 

- C(*</>) =,.fC{P) + 1 if * G {-, (Vx), (3x)}. 

Other complexity measures could be considered instead (for example affecting 
different weights to each function and logical symbol, or taking into account the 
total number of symbols instead of the depth). Heuristics for designing inter- 
pretations and complexity measures well adapted to the particular problem at 
hand could deserve to be investigated in the future. 

The notion of tableau is defined as usual. If T is a tableau and p a (possibly 
infinite) position in T, then T(p) denotes the set of formulae occurring along 
the branch p in T. A branch p in T is said to be closed if false G T (p) and T is 
said to be closed if any branch in T is closed. 

^ Note that the fact that I is assumed to be canonic is not really restrictive here 
because it is easy to transform automatically a non canonic interpretation into 



a canonic one. 
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Tableaux will be constructed as usual from a root formula 4> using a set of 
expansion rules. Each rule is described as follows: 

S 

B\ |. . . I Bn 

meaning that a leaf p such that T^p) = S can be extended by n branches p.i with 
T{p.i) = SUBi (for the sake of readability we omit S from the conclusion of the 
rules). To ensure refutational completeness, we assume that the construction is 
fair, i.e. that for any infinite branch p in T, if a given expansion rule is applicable 
at all positions r ^ p after a certain position q ^ p, then it must be applied at 
some point along p. 

The following definition provides a criterion allowing to detect the formulae 
on which the expansion rules should be applied. 

We first introduce a notation. Given a set of formulae S and a canonic inter- 
pretation X, we denote by Is the interpretation defined as follows. 

n- 

— For any sort symbol s, (the domain of the sort s) is the union of all the 

symbols c € T>s occurring in S plus the symbol Cg. 

— For any function symbol / : si x . . . x ^ s and for any tuple (ci, . . . , c„) G 

T>si X ...X>s„, if there is no c G Vg such that /(ci,...,c„) « c G S' 

T" 'j- 

then =de// (ci,...,c„). 

— Otherwise, for any function symbol / : si x . . . x > s and for any tuple 

'j- 

(ci , . . . , c„) G X>sj X . . . T>g ^ , we have (ci , . . . , Cn) =def c iff c is the smallest 

(according to element in T>g such that /(ci, . . . , c„) « c G S. 

Note that Is is finite if S is finite (it may be infinite otherwise). 

Informally, X 5 is obtained by adapting the interpretation I in such a way 
that all the “minimal” equations in S are satisfied. In particular, if S is empty (or 
contains no equation) then Is = X. If p is a branch in a tableau X, then 
is the interpretation corresponding to p: functions are interpreted as specified by 
the equations generated along the branch. Terms whose value is unknown are 
interpreted as in the interpretation X (this may be seen as a “default value” ) . 

Definition 1 . Let I he a tableau and p be a position in X. 

A formula 4> is said to be redundant (w.r.t. X and p) if there exists a set of 
formulae {ipi, . . . ,ifn} X(p) such that: 

— For all i G [l..n], < C{(j)); 

— and Ar=i V'i N 4>- 

A formula (f is said to be eligible (w.r.t. X and p) if (f is non redundant and 

Is w+ifi). 

No expansion rule will be applied on a formula if it is not eligible, which 
reduces the number of generated formulae in the branch and may prune the 
search space. 
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Remark 1. For a practical point of view, checking whether Ar=i V'i models (j) may 
be difficult (since this problem is semi-decidable). Fortunately, testing whether 
a formula is eligible or not is useful only for pruning the search space. Assum- 
ing that any formula is eligible would not affect the soundness and refutational 
completeness of our procedure, but would only increase the number of applicable 
rules, which obviously makes the procedure less efficient in most cases^. There- 
fore, we can either discard this condition (e.g. assume that it is never satisfied) 
or use instead some stronger criteria. In our current implementation, we only 
check whether <f> can be deduced from the less complex formulae in the branch 
by propositional reasoning. Any other criteria can be used, provided that it is ef- 
fectively decidable and still sufficient to ensure that the condition “Ar=i V'* \= 
holds. 

From a theoretical point of view. Definition 1 states - in some sense - the 
“weakest” conditions ensuring refutational completeness. From a practical point 
of view, it allows the elimination of redundant formulae in the branch, which 
may be crucial for performances. 

A sort symbol s is said to be equational if the root formula contains an 
equation ti « ^2 where and ^2 are of sort s. 



Propositional Rules 

The following rules only apply on eligible formulae. 

5U{(0VA)} 5u{(<^aA)} 5u{(<^^A)} 



4> V” 






~'4’ 4’ 



S' u {(</) A)} s u s u {“>((/) V ')/')} 






-.A 



s u A ')/))} s u {~'{ 4 > => V')} ^ u ^ V')} 



-•cj) —lip 



4 >, -■'0 



■^(p^tp I -ip,^(p 



7- Rule 



S U {(Vx : s)^(a;)} 

(p{e) 

If: (p{e) is eligible, e G T>s and either e occurs in the branch or e = Cg. 

Note that the condition “(p{e) is eligible” impose constraints on the terms on 
which the rule can be applied, which restrict the application of the rule, thus 
avoiding “blind” instantiation. 

® Of course, in some cases this can actually make the procedure more efficient, just 
as in some very particular cases, unrestricted resolution may be more efficient than 
semantic resolution. 
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5-Rule 



S U {(3a; : s)^(a;)} 

(/-(e) 

If: (3x : s)(p{x) is eligible, s is non equational, e = a{{3x)4>) and if there 
exists a symbol c G T> occurring in the branch such that C(e) < C(c). 

5*-Rule 



S U {(3a; : s)^} 

I ... I 4>{en) I (/-(e) 

If: (3a; : s)cj){x) is eligible, e = a{{3x)4>) {ei,...,e„} is the set of skolem 
constants of sort s occurring in the branch, and either s is equational or for all 
skolem constants c occurring in the branch, C(c) < C(e). 

Informally speaking, the principle of our approach is to restrict the 6* rule to 
those symbols whose complexity is greater than the symbols already occurring in 
the branch. Otherwise, the 5-rule is applied instead, hence no “ghost” is created. 
A similar principle is used to restrict the application of the Term Decomposition 
rule (see below). 

Paramodulation Rule 

(/-(c) 

Term Decomposition Rules 



5'U {(s » f)| 
s[e]p t,u e 

If: e = Q!(ti), (s « t) is eligible, tt is a term of a non equational sort occurring 
at position p in s, there exists a symbol c G T> occurring in the branch such that 
C(e) < C(c) and either p is non empty or t is not a constant symbol in T>. 

SU{{sKit)} 

s[ei]p « t, M « Cl I TT I s[e„]p K.t,uK. en | s[e]p e 

If: e = a(it), (s « t) is eligible, u occurs at position p in s, and either the sort 
of u is equational or if for all symbols c G T> occurring in the branch C(c) < C(e), 
and either p is non empty or t ^ T>. {ci, . . . , e„} is the set of skolem constant of 
the same sort as u occurring in the branch. 

S U {(s 9 ^ t)} 
s[e]p t,u K. e 
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If: e = a{u), (s « t) is eligible, u is a term of a non equational sort occurring 
at a position p in s and if there exists a symbol c G T> occurring in the branch 
such that C(e) < C(c). 



S U {(s 9^ t)} 

s[ei]p 96 t, u « ei I TT I s[e„]p en | s[e]p e 

If: e = a{u), (s « t) is eligible, u occurs at position p in s, and either the sort 
of u is equational or for all symbols c G T> occurring in the branch C(c) < C(e). 
{ei, . . . , e„} is the set of skolem constant of the same sort as u occurring in the 
branch. 

In our current implementation, the Term Decomposition rules are restricted 
to subterms of the form u = /(ci, . . . , c„) where ci, . . . , c„ are skolem constants. 
This is sufficient for completeness but more flexible strategies are of course pos- 
sible. 



Clash Rules 

S U {(s 76 s)} 
false 



SU{jc^c')} 

false 



If c yf c', c, c' G V. 



The motivation of the second clash rule would become clearer from the sound- 
ness proof. Intuitively, the tableau is constructed in such a way that distinct 
constants will always denote distinct elements of the domain. 



4 The Properties of the Calculus 

In this section, we prove that S-TAB-RFM{X,C) is sound (i.e. that if a tableau 
for (f> is closed, then (p is unsatisfiable) and refutationally complete (i.e. that if 
(f> is unsatisfiable then any fair tableau for tp is closed). Both properties are very 
standard, but we need to prove them since our procedure cannot be simulated 
by existing calculi, due to the particular restrictions on the expansion rules. 
Moreover, we also show that the procedure is complete for finite model building, 
i.e. that if p admits a finite model then any tableau for p has a finite branch. 

Theorem 1. (soundness) Let p be a formula and let T he a tableau for p. If T 
is closed then p is unsatisfiable. 

Theorem 2. (refutational completeness) Let p be a formula and let X he a fair 
tableau for p. If p is unsatisfiable then T is closed. 

The reader should note that w'^{p) is needed to be carefully defined in or- 
der to ensure refutational completeness. In particular, replacement of existential 
quantification (3a: : s)p{x) by the stronger formulae p{cs) is essential. Assume 
for instance that w~^{p) had been defined as identical to p, and consider the 
following (unsorted) formula: 



(3x)(p(x) 76 true) A (Vx)(p(x) « true) A (Vx)(3j/)(x 76 y) 
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This formula is obviously unsatisfiable. Assume that X maps p to a function 
mapping each element of the domain to false (with false yf true). In this case, 
(3a;)(p(x) 9^ true) is always true in I5, provided that there exists an element c 
such that p{c) = true does not occur in S. In this case, one could obtain an 
infinite, unclosed branch, as follows: 



1 (3a:)(p(x) 9 ^ true) (by the A-rule) 2 (Vx)p{x) « true 
3 (Va;)(3t/)(a; 9 ^! y) A {3y){co^y) 

5 (co 9 ^ Cl) (5-rule on 4) 6 p(co) ~ true 

7 (3y)(ci 9 ^ y) ( 7 -rule on 3) 8 (ci 9 ^ C 2 ) 

9 p(ci) « true ( 7 -rule on 2) 
etc. 



( 7 -rule on 3) 
( 7 -rule on 2 ) 
(5-rule on 7) 



The point here is that the above infinite derivation is fair, despite the fact 
that the 5-rule is never applied on the formula (3x)(p(a;) 96 true). Indeed, it is 
easy to check that ~ at any position in the branch - the formula (3x)(p(a;) 96 
true) is non eligible, since it is always true in the interpretation X$. Thus, the 
application of the expansion rule on this formula is simply prevented by the proof 
procedure, which leads to incompleteness ! On the other hand, if u&{(j>) is defined 
as the present paper, then w'^ {{3x){p{x) 96 true)) becomes false as soon as the 
formula p{co) 96 true is generated. Consequently, the application of the 5-rule is 
allowed which leads to the eventual closure of the branch. The key point here is 
that the “witness” element ensuring that an existential quantification holds in 
the underlying interpretation should not depend on the position in the branch. 
This explains why we need to replace existential quantification (3x : s)4>{x) by 
stronger formulae of the form 4 >{cs). In this case, the element is constant and 
equal to Cg. 



4.1 Completeness w.r.t. Finite Models 

We now prove that S-TAB-RFM{X,C) is complete w.r.t. finite models. We need 
the following lemma, showing that our procedure satisfies (a form of) the sub- 
formula property: 

Lemma 1. Let (f be a formula and let X he a tableau for if. The formulae 
occurring in T are either disconnected subformulae of </> or obtained from a dis- 
connected subformula if of <f> by replacing some of the terms occurring in ip by 
skolem constants. 

We immediately deduce that a branch containing a finite number of distinct 
symbols must be finite: 

Corollary 1. Let 4> be a formula and let X be a tableau for tp. Lf p is a branch 
in X such that the set of skolem constants contained in a formula in X(jp) is 
finite then p is finite. 

Theorem 3. Let p be a formula and let X be a fair tableau for if. Lf <p admits 
a finite model, then X has a finite open branch. 
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To summarize, given a formula <f>, the procedure S-TAB-RFM{I,C) can be- 
have in 3 different ways. 

— If (/) is unsatisfiable then the procedure terminates and returns a closed 
tableau for cj). 

— li (j) admits a finite model then there exists a finite open branch hence the 

procedure terminates (provided the branches are expanded in a fair way). 
From the constructed (still partial) tableau T and one finite open branch p, 
a finite model ^ automatically extracted. 

— If (/) is satisfiable but has no finite model then the procedure does not termi- 
nate. 

Of course several improvements are possible. 

— Our procedure does not use unification. As well known, it is possible to signif- 
icantly improve the performances of tableaux by introducing rigid variables 
(instead of concrete terms) when applying the 7-rule and use unification to 
compute the instances that are needed for closing the tableau. This avoids 
having to “guess” the value of the variables in advance. On the other hand, 
from the point of view of model building systematic instantiation of the 
variables appears to be essential. Is it possible to combine the use of rigid 
variables with the special (5*-rule and with the search-space pruning strate- 
gies presented in the present paper ? In particular, the combination of our 
method with the disconnection calculus of [12] (a calculus that avoids instan- 
tiation but still permits branch saturation and extraction of models) should 
be considered in the future. 

— In order to improve its efficiency, our procedure should be combined with the 
usual improvements of tableaux calculi. For instance, detection of lemmata 
from closed branches could help to discard redundant inferences. Additional 
techniques for restricting the application of the 7-rule and (5-rule could of 
course be considered. 

5 Some Experimental Results 

In this section, we provide some preliminary experimental results obtained with 
S-TAB-RFMji,i„f, our current implementation of S-TAB-RFM. S-TAB-RFMMi„j 
is a prototype, implemented in GnuProlog with straightforward algorithms and 
data structures, and without any significant optimization. It is not intended to 
compete with the most powerful theorem provers available, but only to allow to 
roughly estimate the influence of the proposed strategies on the performances 
of the system. The program implements a very basic proof procedure, using 
a breath-first search strategy for choosing the instances of the universal formulae 
on which the 7-rule should be applied. The interpretation I used to prune the 
search space is a canonic interpretation mapping any atom distinct from t t 
to false and C is equal to the depth of the terms. 
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We use a small collection of problems from the TPTP library [19]. All the 
problems are formulae of first-order logic without equality. means that the 
system did not terminate in a reasonable time (e.g. less than 5 mn). All the 
computation times are given in ms. 

We provide for each problem the result obtained with 3 different strategies: 
The first one (Basic) corresponds to the basic procedure, i.e. no interpretation 
is used for pruning the search space and the ^-rule is not used (the <5* rule is 
applied systematically on each existential quantifier). The second one (Sem) 
uses the empty interpretation for pruning the search space but the <5-rule is 
not used. The third one (<5) uses the 5-rule and restricted S* rule but not the 
semantic restrictions. The fourth one S-TAB-RFM corresponds to the procedure 
described in the present paper, i.e. combination of Sem and S. 

The fourth procedures share exactly the same theoretical properties (i.e. 
soundness, refutational completeness and completeness for finite models) which 
makes the comparison relevant. For some problems (e.g. SYN060-I-1, SYN061-I-1, 
SYN062-I-1, etc.) the computation times are too short for being significant hence 
we removed them from the list. Similarly we removed problems that are too hard 
for our current implementation. 



Problems 


Basic 


Sem 


5 


S-TAB-RFM 


SYN036-tl 101010 


250 


26570 


170 


SYN036-t2 


92310 


670 


21240 


410 


SYN049-t2 


360 


490 


70 


200 


SYN054-tl 


40 


20 


40 


20 


SYN055-tl 


30 


20 


30 


20 


SYN056-tl 


260 


60 


240 


60 


SYN057-tl 


50 


30 


50 


20 


SYN058-tl 


20 


20 


20 


20 


SYN059-tl 


130 


50 


70 


40 


SYN068-tl 


80 


30 


60 


20 


SYN069-tl 


7650 


60 


7140 


50 


SYN070-tl 


2460 


160 


2420 


120 


SYN084-tl 


160 


60 


90 


50 


SYN083-tl 


30 


30 


20 


10 


SYN319-tl 


- 


- 


- 


20550 


SYN320-tl 


- 


- 


- 


50710 



Generally speaking, it seems that the semantic strategy improves the perfor- 
mances of the system in a significant way. By comparison the use of the 5-rule is 
less effective. However, when the difficulty of the problem increases, the impor- 
tance of the 5-rule becomes significant (see for instance SYN036+2, SYN036+1, or 
SYN319+1). The combination of the two strategies gives the best result. Note that 
for one particular problem (namely SYN049+2) disabling the semantic strategy 
actually decreases the computation time. On the other hand the 5 rules appears 
to be quite effective in this case. Of course, further experimentations (with more 
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powerful provers) and theoretical studies are needed before definite conclusions 
can be drawn. 
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Abstract. The paper presents a method to automatically abstract equa- 
tions when translating formulas with equality to equivalent Boolean for- 
mulas, allowing the use of a SAT-checker to determine the validity of the 
original formula. The equations are abstracted with a special interpreted 
predicate that satisfies the properties of symmetry, reflexivity, transi- 
tivity, and functional consistency. This abstraction is both sound and 
complete. In contrast to previous methods that encode only low-level 
equations between term variables, the presented abstraction directly en- 
codes top-level equations where the arguments can be nested-ITi? ex- 
pressions that select term variables. The automatic abstraction was used 
to formally verifying the safety of pipelined, superscalar, and VLIW pro- 
cessors, and reduced the CNF clauses by up to 50%, while speeding up 
the formal verification by up to an order of magnitude relative to the dj 
method where a new Boolean variable is used to encode each unique 
low-level equation between term variables. A heuristic for partial transi- 
tivity resulted in additional speedup for correct benchmarks that require 
transitivity. 



1 Introduction 

In formal verification of microprocessors, equations (equality comparisons) are 
used: 1) in the control logic, to express forwarding and stalling conditions, based 
on equality between a source and a destination register; 2) in mechanisms for 
correcting wrong speculations, when a predicted data value is not equal to the 
actual one; and 3) in the correctness formula, to compare the final architec- 
tural states of the implementation and the specification. The logic of Equality 
with Uninterpreted Functions and Memories (EUFM) [7] allows us to abstract 
functional units and memories, while completely modeling the control path of 
a processor. In EUFM, word-level values are abstracted with expressions called 
terms (see Sect. 2), whose only property is that of equality with other terms. 
In our previous work on using EUFM to formally verify pipelined, superscalar, 
and VLIW microprocessors [21], we imposed some simple restrictions on the 
style for defining high-level processors. The result was a significant reduction 
in the number of terms that appear in both positive and negated equations — 
and are so called g-terms (for general terms) — while increasing the number of 
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terms that appear only in positive (not negated) equations — and are so called 
p-terms (for positive terms). We will refer to equations that appear in both 
positive and negated polarity as g- equations, and to those that appear only in 
positive polarity as p-equations. The property of Positive Equality [21] allowed 
us to treat syntactically different p-terms as not equal when checking the valid- 
ity of an EUFM formula, thus achieving significant simplifications, and orders 
of magnitude speedup — see [5] for a correctness proof. 

In the current paper, the implementation and specification are described in 
the high-level hardware description language AbsHDL [25] [27] , based on the logic 
of EUFM. The formal verification is done with an automatic tool flow, consisting 
of: 1) the term-level symbolic simulator TLSim [25], used to symbolically simu- 
late the implementation and specification, and to produce an EUFM correctness 
formula; 2) the decision procedure EVC [25] that exploits Positive Equality and 
other optimizations to translate the EUFM correctness formula to an equivalent 
Boolean formula, which has to be a tautology for the implementation to be cor- 
rect; and 3) an efficient SAT-checker. This tool flow was used at Motorola [13] to 
formally verify a model of the M*CORE processor, and detected bugs. The tool 
flow was also used in an advanced computer architecture course [27] [28], where 
undergraduate and graduate students designed and formally verified pipelined 
DLX [10] processors, including variants with exceptions and branch prediction, 
as well as dual-issue superscalar implementations. 

While SAT-checkers are very quick to find a counterexample for a bug [26], 
they can be orders of magnitude slower when proving unsatisfiability of CNF 
formulas from correct designs. This paper proposes an approach to speed up the 
formal verification of correct models by abstracting the g-equations in a sound 
and complete way that results in a conceptually simpler solution space, fewer 
CNF clauses, and up to an order of magnitude reduction in the SAT-checking 
decisions and conflicts, relative to previous methods for encoding g-equations 
with Boolean variables [9] [16]. 

2 Background 

The formal verification is done by correspondence checking — comparison of 
a pipelined implementation against a non-pipelined specification, using flush- 
ing [7] [8] to automatically compute an abstraction function that maps an im- 
plementation state to an equivalent specification state. The safety property (see 
Figure 1) is expressed as a formula in the logic of EUFM, and checks that one 
step of the implementation corresponds to between 0 and k steps of the specifi- 
cation, where k is the issue width of the implementation. F impi is the transition 
function of the implementation, and F$pec is the transition function of the spec- 
ification. We will refer to the sequence of first applying the abstraction function 
and then exercising the specification as the specification side of the commutative 
diagram in Figure 1, and to the sequence of first exercising the implementation 
for one step and then applying the abstraction function as the implementation 
side of the commutative diagram. 
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k slops 




Safety property: 

equalili’ty v eqnalit\\ v . . . v equality/, true 



Fig. 1. The safety correctness property for an implementation with issue 
width k: one step of the implementation should correspond to between 0 and k 
steps of the specification, when the implementation starts from arbitrary initial 
state Qimpi that may be restricted by invariant constraints 



The safety property is a proof by induction, since the initial implementation 
state, Qimpi, is completely arbitrary. If the implementation is correct for all 
transitions that can be made for one step from an arbitrary initial state, then 
the implementation will be correct for one step from the next implementation 
state, Q'lmpi, since that state will be a special case of an arbitrary state as used 
for the initial state, and so on for any number of steps. For some processors, e.g., 
where the control logic is optimized by using unreachable states as don’t-care 
conditions, we may have to impose a set of invariant constraints for the initial 
implementation state in order to exclude unreachable states. Then, we need to 
prove that those constraints will be satisfied in the implementation state after 
one step, Q' impi, so that the correctness will hold by induction for that state, and 
so on for all subsequent states. See [1][2] for a discussion of correctness criteria. 

To illustrate the safety property in Figure 1, let the implementation and 
specification have three architectural state elements — program counter (PC), 
register file, and data memory. Let PCgpec^ P^QP'^^^Spec^ DMemgp,.,. be 
the state of the PC, register file, and data memory, respectively, in specification 
state Qspec (* = ■■■; along the specification side. Let RegFilcgp,,,,, 

and DMerrigp,,,, be the state of the PC, register file, and data memory in specifi- 
cation state QspecJ reached after the implementation side of the diagram. Then, 
each disjunct equalityi {i = 0, ..., k) is defined as: 

equality/ <— pc/ A r/j A dm/, 
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where 

pc. ^ {PC^Spec = PC*Spec), 

rf. ^ {RegFilPsp^^ = RegFile%p^^), 

dm. ^ {DMem'-Sp^^ = DMem%p^^). 

That is, equality i is the conjunction of the pair-wise equality comparisons for all 
architectural state elements, thus ensuring that the architectural state elements 
are updated in synchrony by the same number of instructions. In processors 
with more architectural state elements, an equality comparison is conjuncted 
similarly for each additional state element. Hence, for this implementation, the 
safety property is: 

pco A r/o A dmo V pci A rfi A dmi V ... V pck A rfk A dmk = true. (1) 

The syntax of EUFM [7] includes terms and formulas. Terms are used to ab- 
stract word-level values of data, register identifiers, memory addresses, as well 
as the entire states of memory arrays. A term can be an Uninterpreted Function 
(UF) applied to a list of argument terms, a term variable, or an ITE opera- 
tor selecting between two argument terms based on a controlling formula, such 
that ITE{formula,termi,term2) will evaluate to term\ if formula = true, 
and to term2 if formula = false. The syntax for terms can be extended to 
model memories by means of the interpreted functions read and write [7] [24]. 
Formulas are used to model the control path of a processor, as well as to ex- 
press the correctness condition. A formula can be an Uninterpreted Predicate 
(UP) applied to a list of argument terms, a propositional variable, an ITE op- 
erator selecting between two argument formulas based on a controlling formula, 
or an equation between two terms. Formulas can be negated and combined with 
Boolean connectives. We will refer to both terms and formulas as expressions. 

UFs and UPs are used to abstract functional units by replacing them with 
“black boxes” that satisfy no particular properties other than that of functional 
consistency — that the same combinations of values to the inputs of the UF (or 
UP) produce the same output value. Then, it no longer matters whether the 
original functional unit is an adder, or a multiplier, etc., as long as the same UF 
(or UP) is used to replace it in both the implementation and the specification. 
Thus, we will prove a more general problem — that the processor is correct for 
any functionally consistent implementation of its functional units. However, this 
more general problem is easier to prove. 

Two possible ways to impose the property of functional consistency of UFs 
and UPs are Ackermann constraints [3], and nested ITEs [21]. The Ackermann 
scheme replaces each UF (UP) application in the FUFM formula F with a new 
term variable (Boolean variable) and then adds external consistency constraints. 
For example, the UF application /(ai,6i) will be replaced by a new term vari- 
able Cl, another application of the same UF, /(o2, &2), will be replaced by a new 
term variable C2. Then, the resulting FUFM formula F' will be extended as 
[(oi = 02) A (61 = &2) => (ci = C2)] F' . In the nested-/TF scheme, the first 

application of the above UF is still replaced by a new term variable ci. How- 
ever, the second is replaced by ITE{{a2 = «i) A (&2 = bi),ci,C2), where C2 is 
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a new term variable. A third one, /(«3, b^), is replaced by ITE{{a^ = oi) A (&3 = 
b\),ci, ITE{{a^ = 02) A (63 = &2),C2,C3)), where C3 is a new term variable, and 
so on. UPs are eliminated similarly, but with new Boolean variables. 

To compare the sequence of write operations that form the final states of 
memories after the implementation and specification sides of the diagram, the 
decision procedure EVC [ 25 ] automatically introduces a new term variable to 
serve as comparison address for each memory. Let cmp-addr be the new term 
variable introduced for the register file. Then, each equation {RegFile'gp^^ = 
RegFilcgp^J is replaced with: 

{read{RegFile'gp^^, cmp-addr) = read{RegFilegp^^, cmp-addr)), 
thus checking whether an arbitrary address in the register file is modified in the 
same way by both sides of the diagram. EVC replaces a read from a sequence of 
writes with a sequence of nested ITEs, according to the forwarding property of 
the memory semantics, such that each ITE is controlled by an equation between 
the new term variable and the destination address of the eliminated write. These 
equations appear in dual polarity — positive when selecting the then-expression 
of the ITE, and negative when selecting the else-expression — i.e., are g-equations 
that need to be encoded with Boolean variables. 

We will call complete equality the usual equality, where two (syntactically) 
different term variables a and b can be either equal or not equal to each other, and 
will use = to denote it. Reasoning about complete equality requires a case split, 
in order to account for both cases, and so the need to encode it with Boolean 
variables when translating an EUFM formula to an equivalent Boolean formula. 
We will call syntactic equality the subset of complete equality where a term 
variable is equal only to itself, and will use =syn to denote it. We will call 
delta equality the difference between complete equality and syntactic equality, 
and will use =a to denote it. That is, if t\ and ^2 are two terms consisting of 
ITE operators, term variables, and formulas controlling the ITE operators, then 
{ti =A ^2) is defined as (ti = ^2) A ~^(ti =syn ^2), or equivalently, complete 
equality (ti = ^2) is defined as (ti =syn ^2) V (ti =/i ^2)- We will call hybrid 
equality the extension of syntactic equality with a proper subset of the delta 
equality between two terms, and will denote it with =hyb- 

The property of Positive Equality is due to the observation that the cor- 
rectness formula (1) consist of top-level p-equations that are combined with the 
monotonically positive connectives of conjunction and disjunction, but are not 
negated. Then, if the formula is valid (true) when the complete equality in the 
top-level p-equations is replaced with syntactic equality, the formula will also 
be valid with the original complete equality in those equations, since then the 
formula can only get bigger due to the omitted delta equality that will be added 
through monotonically positive connectives. However, the benefit from using 
only syntactic equality for the top-level p-equations is the significant reduction 
of the solution space, resulting in orders of magnitude speedup. Similarly, we 
exploit syntactic functional consistency when eliminating UFs and UPs in that 
the property of functional consistency is enforced only for the cases of syntactic 
equality between corresponding arguments in applications of the same UF / UP, 
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unless both arguments are g-terms. Syntactic functional consistency is a conser- 
vative approximation, since functional consistency is enforced only for a subset 
of the conditions for complete functional consistency (based on complete equal- 
ity). If F is a formula obtained after eliminating all UFs/UPs by accounting for 
only syntactic functional consistency, and F is valid, then so will be the for- 
mula obtained from F by accounting for complete functional consistency, e.g., 
by extending F with Ackermann constraints for complete functional consistency. 
However, g-equations could be either true or false, and need to be encoded with 
Boolean variables [9] [16]. 

A low-level g-equation is one where both arguments are term variables. A top- 
level g- equation is one where the arguments can be either term variables or 
nested-/TF expressions selecting term variables. Previous methods for encod- 
ing g-equations with Boolean variables [9] [16] eliminate top-level g-equations by 
pushing them to the argument term variables, and then encode the resulting 
low-level g-equations. The encoding [9] replaces each unique low-level equa- 
tion between different term variables Vi and Vj with a new Boolean variable, 
called eij. The property of symmetry of equality is accounted for by sorting Vi 
and Vj according to their indices, e.g., so that i < j, before introducing a Boolean 
variable; and the property of transitivity of equality — if Vi = Vj and Vj = Vk 
then Vi = Vk — is enforced with transitivity constraints of the form CijAejk => e^fc. 
In the small-domain encoding [16], each g-term variable is assigned a set of con- 
stants that it can take on in a way that allows it to be either equal to or different 
from any other g-term variable that it can be transitively compared for equality 
with. If a g-term variable is assigned a set of N constants, then those can be in- 
dexed with \log 2 {N)~\ Boolean variables. Two g-term variables are equal if their 
indexing Boolean variables select simultaneously a common constant. The prop- 
erty of transitivity is automatically enforced in this encoding. Depending on the 
structure of the g-term equality-comparison graphs, the small-domain encoding 
may introduce fewer Boolean variables than the eij encoding. That could mean 
a smaller search space. However, now a low-level g-equation is replaced with 
a Boolean formula — enumerating all cases when the argument g-term variables 
evaluate to a common constant — instead of a single Boolean variable. In our 
previous work [26], we found the encoding to outperform the small-domain 
encoding when formally verifying microprocessors. For other benchmarks, Seshia 
et al. [18] proposed a hybrid encoding, such that the and small-domain encod- 
ings are each used on a different connected component of low-level g-equations 
in the same correctness formula. The decision procedure EVC adds all transitiv- 
ity constraints for the variables to the CNF correctness formula, while the 
decision procedure CVC [4] iteratively analyzes counterexamples, and includes 
transitivity constraints incrementally — just as many as to prevent the recurrence 
of a counterexample. However, Seshia et al. [18] found the incremental approach 
to result in significant overhead when checking validity of complex formulas. 
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3 Automatic Abstraction of Equations 

In this section, we will assume that the interpreted functions read and write, 
as well as all UFs and UPs, have been eliminated from the EUFM correctness 
formula. That is, each term in the formula is either a term variable, or a nested- 
ITE expression selecting term variables. In this formula, instead of encoding 
low-level g-equations, we can automatically abstract the top-level g-equations 
with the special interpreted predicate abs-equality that satisfies the properties of 
transitivity, syntactic functional consistency, syntactic symmetry, and (syntactic) 
reflexivity. Note that the abstracted complete equality is: 1) transitive — if a = b 
and b = c then a = c; 2 ) symmetric — if a = b then 6 = a; 3 ) reflexive, i.e., 
a = a is true] and 4 ) functionally consistent — given two equations a = b and 
c = d, the equality between arguments in the same positions, i.e., a = c and 
b = d, implies that the two equations have equal values, as follows from the 
property of transitivity, since the four equations form a cycle, and if three of 
them are true then the fourth should also be true, while if one is false and 
two are true then the fourth should be false or otherwise there will be a cycle 
of three equations that are true, implying that the first should be true and so 
contradicting its value. Also note that the property of reflexivity is equivalent to 
syntactic equality, since the property holds when exactly the same term variable 
appears on both sides of an equation. 

We can extend either the nested-ITF or the Ackermann-constraint scheme 
for elimination of uninterpreted predicates in order to eliminate applications of 
abs-equality by accounting for its properties of syntactic functional consistency, 
syntactic symmetry, and reflexivity. Transitivity can be imposed as in the case 
of low-level g-equations [ 26 ] — by triangulating the equality-comparison graph 
(where each vertex is a term used in a top-level g-equation, and each edge corre- 
sponds to a g-equation between two terms) with extra edges, added in a greedy 
manner to turn every two edges with a common vertex into a triangle (cycle of 
length 3 ), and then imposing three transitivity constraints for the CNF variables 
representing the values of g-equations in a triangle. 

In order to adopt the nested-ITA scheme, each /TA-controlling formula is 
extended to account for syntactic symmetry, while the top ITE expression is 
disjuncted with the condition for syntactic equality between the two arguments, 
thus ensuring reflexivity. That is, the first application of abs -equality {t\,t2), 
where t\ and t2 are terms, is eliminated with (ti =syn ^2) V E\, where Ei 
is a new Boolean variable, and the disjunction of (ti =syn ^2) ensures re- 
flexivity. A second application abs-equality(t3,t4) is eliminated with (f^ =syn 
^4) V ITE{{t^ =SYN ti) A {ti =SYN h) V (^4 =SYN tl) A (^3 =SYN t 2 ), Ei, E2), 
where E2 is a new Boolean variable, and the disjunction of (^3 =syn ti) ensures 
reflexivity. In the controlling formula, the expression {ts =syn ti)A{ti =syn ^2) 
ensures syntactic functional consistency, as in the original nested-ITA scheme for 
elimination of UFs and UPs, and the disjunction of {ti =syn U) A {t^ =syn ^2) 
ensures syntactic symmetry. A third application abs-equality{t5, to) is eliminated 
with {t^=SYN te)\/ ITE{{t^ =syN ti)A{te=SYN t2)V{te=SYN ti)A{t 5 =SYN 
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t 2 ),Ei,ITE{{t 5 =syn t 3 )A{te =syn t 4 )V{te=sYN ^ 3 )A(i 5 =syjv ^4), ^^ 2 , ^^3)), 
where E3 is a new Boolean variable. 

The Ackermann-constraint scheme can be customized similarly. Each of the 
three applications, ab s -equality {ti,t2), ab s -equality 4), and abs-equality(t^, 
te), will be eliminated with a new Boolean variable — E\, E2, and E3, respectively. 
Let F' be the resulting EUFM formula. To account for the properties of reflexiv- 
ity, syntactic symmetry, and syntactic functional consistency of abs-equality , we 
define separate constraints, conjunct them in formula constraints, and use it to 
restrict F' , i.e., prove the validity of constraints ^ F' . In particular, to enforce 
reflexivity of the first, second, and third applications of abs-cquality, we use the 
constraints (ti =syn ^2) Ei, {t^ =syn ^4) = 1 ^ £’2, and (ts =syn te) E3, 
respectively. To account for syntactic functional consistency and syntactic sym- 
metry of the second application with respect to the first, we use [(^3 =syn 
ti) A (^4 =SYN ^2) V {t4 =SYN ti) A (^3 =SYN ^2)] = 1 ^ {Ei E2). To account 
for syntactic functional consistency and syntactic symmetry of the third appli- 
cation with respect to the first, we use [(ts =syn ti) A (te =syn ^2) V (te =syn 
ti) A {te =SYN ^2)] = 1 ^ {El <tA Ee). Finally, to account for syntactic functional 
consistency and syntactic symmetry of the third application with respect to 
the second, we add the constraint [(^5 =syn ^3) A {te =syn ^4) V {te =syn 
h) A {te =SYN ^4)] ^ {E2 AA E3). 

Example: Let t\,t2,te,t4,te, and te be six terms defined as follows: 



where a,b,c, and d are term variables, and /i,/2, and /s are formulas. Let 
{ti = ^2), {te = ^4), and {te = te) be top-level g-equations in an EUFM formula. 

To apply the Cij encoding, the top-level g-equations will be pushed to their 
argument term variables: the first equation will remain unchanged, (a = b), 
since both arguments are term variables, and will be replaced with the new 
Boolean variable Cab] the second will become ITE{fi,c = c, a = c), i.e., 
ITE{fi,true,a = c), and will be replaced with /i V Cac, after a = c is encoded 
with the new Boolean variable Cac] the third will become ITE{f2, ITE{fe,a = 
d,b = d),ITE{fe, a = a, a = b)), and will be replaced with /2 A /s A Cad 'd f 2 A 
~^fe A Chd V ^/2 A /3 V ^/2 A A Bob, after a = d is encoded with Cad and b = d 
is encoded with Cbd- 

Using the special interpreted predicate abs-cquality, the top-level g-equations 
will be abstracted as ab s -equality {ti,t2), abs -equality {te,t4), and abs-equality 
{te,te)- Then, using the nested-ITE scheme, the first application of abs-equality 
will be eliminated with (a =syn b) V E\, which evaluates to E\, since a 
and b are two (syntactically) different term variables, so that their syntactic 
equality evaluates to false. The second application will be eliminated with 
{ITE{fi,c,a) =SYN c) V ITE{{ITE{fi,c,a) =syn a) A (c =syn b) V (c =syn 
a) A {ITE{fi,c,a) =syn b),Ei,E2), which evaluates to /i V ITE{^fi A falseW 
false A false, Ui, U2), i.e., to fi V E2, where /i expresses the condition for syn- 



te ^ ITE{fi,c,a) 
te^lTE{f2,d,a) 



a 




te^ ITE{h,a,b) 
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tactic equality between the two arguments, while E2 encodes the two possible 
values of the delta equality between the two argument terms. Eliminating the 
third application of abs-equality , and simplifying the resulting expression, we get 
^/2 A /a V ITE{^f2 A ^/a, Ei, E3), where formula ^/2 A /aexpresses the condi- 
tions for syntactic equality between the two arguments, while the ITE operator 
will select Boolean variable E\ if formula ^/2 A ^/a is true, i.e., in the cases 
of syntactic functional consistency with the arguments of the first application 
of abs-equality, while the new Boolean variable E^ encodes the delta equality 
between the two arguments in the cases when the arguments do not satisfy con- 
ditions for syntactic functional consistency or syntactic symmetry with respect 
to previous pairs of arguments. 

Using Ackermann constraints to enforce reflexivity, syntactic functional con- 
sistency, and syntactic symmetry for abs-equality , the first, second, and third ap- 
plications will be replaced with the new Boolean variables E\, E2, and E3, respec- 
tively. Then, the resulting formula will be evaluated under the constraints: fi => 
E2, enforcing reflexivity for abs -equality ^4); ~^f2 A /a => E3, enforcing reflex- 
ivity for abs-equality(t5,tQ); and ^/2 A ^/a (Ei E3), enforcing syntactic 
functional consistency between abs-equality(t3,ti) and abs-equality{t^,tQ) . 

Theorem 1 . Let F be an EUFM formula that contains term variables. Boolean 
variables, logic connectives, ITE operators, and equations. Then, abstracting the 
top-level g-equations in F with the interpreted predicate abs-equality is sound 
and complete. 

Proof: Let formula F' be obtained from F after abstracting the top-level g- 
equations with the interpreted predicate abs-equality . 

Soundness — the validity of F' implies the validity of F. If F' is valid, then 
so will be any formula obtained from F' after replacing abs-equality with any 
predicate that has two arguments, and satisfies the properties of transitivity, 
reflexivity, syntactic symmetry, and syntactic functional consistency, including 
the original complete equality. Note that by its definition, abs-equality satisfies 
the property of syntactic equality, i.e., reflexivity. What is missing from complete 
equality are two constraints: 1) if the delta equality between terms a and b is true, 
then abs -equality (a, b) should be true] and 2) if the complete equality between 
terms a and b is false, then abs -equality {a, b) should be false. However, if F' 
is valid without such constraints, it will be valid with them: 

[{{a=A b) abs -equality {a, b)) A (^(a = 6) => ^abs-equality{a, &))] => F' , 

where the resulting formula is trivially valid, since F' is already valid. 

Completeness — a counterexample in F' can be mapped to a counterexample 
in F. A counterexample in F' consists of assignments to variables Ei, used when 
eliminating abs-equality, and assignments to the other Boolean variables that 
also appear in F . The arguments of each abstracted g-equation are either term 
variables or nested-/TF expressions that select term variables, where the ITE 
operators are controlled by formulas that depend on applications of abs-equality 
and on the other Boolean variables. Hence, each counterexample results in an 
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assignment to the /Ti?-controlling formulas, thus selecting some term variable a 
as the first argument of an application of abs-equality , and another term vari- 
able b as the second argument. Then, we can assign the value of that particular 
application of abs-equality to the low-level equation a = b and can replace that 
application of abs-equality with the original complete equality. The correctness 
formula is a Directed Acyclic Graph (DAG), so that the value of the introduced 
top-level g-equation does not affect the arguments of that equation. Hence, the 
/TA-controlling formulas in the arguments will keep their values, and so a and b 
will still appear on the two sides of that g-equation, which will have the same 
value as the replaced application of abs-equality. We can similarly map the 
value of each remaining applications of abs-equality to a value of a low-level g- 
equation between the term variables selected by the nested-ITA arguments, and 
then replace that application of abs-equality with a top-level g-equation, which 
will get the same value as the one assigned to the low-level g-equation, i.e., as 
the one of the eliminated application of abs-equality. Thus, all abstractions of 
top-level g-equations will be undone, and we will get the original formula F . 
What remains to be proved is that these assignments to low-level g-equations 
will not violate the properties of equality. First, reflexivity is always preserved, 
since syntactic equality between the two arguments is always accounted for, and 
an application of abs-equality is forced to be true when exactly the same term 
variable is selected to appear on both sides of the abstracted g-equation, i.e., it is 
impossible for the same term variable to appear as both arguments of an appli- 
cation of abs-equality that evaluates to false. Second, constraints for syntactic 
functional consistency ensure that if the same pair of term variables is selected 
as arguments of different applications of abs-equality , then those applications 
will have the same value, i.e., it is impossible for the same low-level g-equation 
between term variables to get assigned contradicting values from different appli- 
cations of abs-equality. Third, because of constraints for syntactic symmetry, it 
is similarly impossible for two symmetric low-level equations, a = b and b = a, 
to get assigned different values. Fourth, transitivity will never be violated, since 
constraints for transitivity of equality ensure that applications of abs-equality do 
not violate transitivity, and, as described above, a counterexample determines 
a 1-to-l mapping of every cycle of abstracted top-level g-equations to an iso- 
morphic cycle of low-level g-equations, each having value identical to that of the 
corresponding abstracted top-level g-equation. □ 

Note that each counterexample maps the value of an abstracted top-level 
g-equation to exactly one low-level g-equation between term variables in the 
support of the top-level g-equation. The low-level g-equations that are left unas- 
signed are don’t-care conditions. They do not affect the counterexample, and 
can be left unassigned or given any value that does not violate transitivity, 
when interpreting the counterexample. 

As an optimization, we can choose not to enforce transitivity, or reflexivity, 
or both; these properties are not needed for models with in-order execution, as 
shown in the experiments (see Sect. 5). Alternatively, we can enforce partial 
transitivity — a heuristic for that is presented in Sect. 4.3, and was found to 
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speed up the formal verification of processors with out-of-order execution and 
completion. 



4 Using the Automatic Abstraction 

4.1 Identifying Connected Equality- Comparison Components 

We will again assume that the formula contains term variables, Boolean vari- 
ables, logic connectives, ITE operators, and equations. Each equation is clas- 
sified as a p-equation or a g-equation, if it was reached under an even or odd 
number of negations, respectively, before the uninterpreted functions and unin- 
terpreted predicates were eliminated. Syntactic equations introduced when elim- 
inating uninterpreted functions and uninterpreted predicates are also classified 
as p-equations. The arguments of g-equations are either term variables or nested- 
ITE expressions selecting term variables. For each g-equation, all term variables 
that can be selected to appear as an argument are grouped into an equivalence 
class. Equivalence classes that have common term variables are merged and their 
g-equations are marked to belong to the same connected equality-comparison 
component. The properties of transitivity, functional consistency, and symme- 
try need to be enforced only within a connected component, since the values 
of equations from a connected component have no way of affecting equations 
from another connected component. That is, we can use a different version of 
interpreted predicate abs-equality for each connected component. 

In processors with branch prediction, the equations for the PC states, pCi, 
in correctness formula (1) will contain term variables that are arguments to g- 
equations introduced by the mechanism for correcting branch mispredictions — if 
the actual and predicted branch targets are equal, then the prediction is correct 
and any speculative instructions are allowed to complete; otherwise, the specula- 
tive instructions are squashed. To ensure that such p-equations have values that 
are consistent with those of abstracted g-equations that control the speculation 
and have common term variables as arguments, we need to promote p-equations 
to g-equations. That is, for each p-equation, determine the equivalence class of 
term variables that may appear as an argument; if this equivalence class has 
a common element with another equivalence class that identifies a connected 
component of g-equations, then merge the two equivalence classes, and promote 
the p-equation to a g-equation from that connected component. 

4.2 Mapping Abstract Counterexamples to Concrete Ones 

A counterexample for the abstract model, where top-level g-equations are ab- 
stracted with abs-equality, is expressed by an assignment to the Ei variables — 
used when eliminating applications of abs-equality — and an assignment to the 
other Boolean variables — representing initial state of control signals, or intro- 
duced when eliminating uninterpreted predicates. We can map an abstract coun- 
terexample to a concrete one for the original model by following: 
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Step 1. Compute the value of each application of abs-equality, based on the 
counterexample assignment to Ei and other Boolean variables in the abstract 
model. 

Step 2. For each application of abs-equality (the arguments are either term vari- 
ables, or nested-ITF expressions selecting term variables), compute the values 
of /TF-controlling formulas in the two arguments. 

Step 3. For each application of abs-equality , find the two term variables that 
will be selected for equality comparison in the abstracted g-equation, given the 
values of /TF-controlling formulas computed in Step 2. If this application of 
abs-cquality evaluates to true, then the two term variables should be equal in 
order to trigger a corresponding counterexample in the concrete model; other- 
wise, they are not equal. 

According to Theorem 1, the above steps will result in consistent assignments 
to low-level g-equations, without violating the properties of equality. 

4.3 Heuristic for Partial Transitivity 

In processors with out-of-order completion, the specification side of the com- 
mutative diagram (Figure 1) completes the instructions in program order — 
assuming the abstraction function completes the instructions in program order — 
while the implementation side may reorder them. In a correct implementa- 
tion, out-of-order execution and completion occur only if that would not in- 
troduce write-after-read or write-after-write hazards [10]. That is, destination 
registers of younger instructions are compared for equality with both source 
and destination registers of older instructions (appearing earlier in program or- 
der). A younger instruction is issued/completed only if each older instruction 
is issued/completed, or if the younger instruction will not introduce a haz- 
ard for an older instruction. The absence of a write-after-write hazard, when 
the destination registers of two instructions are not equal, implies that term 
variable cmpjiddr, used as comparison address for the final states of the reg- 
ister file (see Sect. 2), may equal only one of these destination registers, but 
not both, or that will violate a transitivity constraint. That is, if dest\ and 
dest 2 are destination registers compared for equality by logic for preventing 
write-after-write hazards, then the comparison of the final register file states 
will introduce equations {desti = cmpjiddr) and {dest 2 = cmp-addr). How- 
ever, at most one of them can be true, since transitivity of equality implies 
that -^{desti = dest 2 ) A {cmp.addr = desti) ^{cmp.addr = dest 2 ) and 
-^{desti = dest 2 ) A {cmp.addr = dest 2 ) -^{cmp.addr = desti). 

Similar cycles of 3 equations, comparing two destination registers and 
a source register, may be introduced by the control logic in processors with 
out-of-order execution or completion — the equation between the two destination 
registers by logic checking for write-after- write hazards, and the two equations 
between a source register and each of the destination registers by logic checking 
for read-after-write or write-after-read hazards. Constraints for transitivity of 
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equality are needed to prevent simultaneous forwarding of data from two older 
destination registers that are not equal, and whose instructions are reordered, 
to a younger source register. Hence, we can use a heuristic for enforcing par- 
tial transitivity. Let the names of all destination and source register identifiers 
contain the substring “Best” and “Src”, respectively. Then, we can automati- 
cally detect pairs of destination registers compared for equality by the control 
logic. We can enforce partial transitivity only for such destination registers and 
any source registers occurring in equations with them, including term variable 
cmp-addr. As noted earlier, partial transitivity is a conservative approximation, 
since it results in discarding constraints. If the resulting formula F' is valid, 
it will also be valid when extended with the omitted transitivity constraints, 
extra-transitivity , to a formula extra-transitivity F' . 



5 Results 

The benchmarks used in the experiments are: ldlx_c_mc_ex_bp, a single-issue 
pipelined DLX [10] with multicycle ALU, Instruction Memory, and Data Mem- 
ory, as well as with exceptions and branch prediction, modeled and formally ver- 
ified as described in [22]; 2dlx_cc_mc_ex_bp, a dual-issue superscalar DLX with 
in-order execution, and two identical execution pipelines with all of the above 
features [22]; 9vliw_mc_ex_bp, a 9- wide VLIW processor that also has all of the 
above features, as well as the same number and types of functional units as the In- 
tel Itanium [11] [19], and imitates it in predicated execution, register remapping, 
and advanced loads — modeled and formally verified as described in [23] ; xscale, 
a model of the Intel XScale processor [12] with specialized execution pipelines, 
scoreboarding [10], out-of-order completion, and imprecise exceptions — modeled 
and formally verified as described in [20]; 12pipe, a superscalar processor that 
can issue up to 12 instructions in program order on every clock cycle, and is 
capable of executing only ALU instructions [26]; and 8pipe_ooo, a superscalar 
model that can issue up to 8 instructions out of program order on every cycle, 
and is also capable of executing only ALU instructions [26] . 

The experiments were performed on a Dell OptiPlex GX260 with a 3.06- 
GHz Intel Pentium 4 processor that had a 512-KB on-chip level-2 cache, 2 GB 
of physical memory, and was running Red Hat Linux 9. The SAT-checker Siege 
[17], a top-performer in the SAT’03 competition [14], was found to have best per- 
formance on these benchmarks and was used for the experiments. The reader is 
referred to [26] for the translation to GNF format. All constraints for transitivity 
of equality were added to the GNF formulas from buggy implementations and 
correct models that require transitivity (xscale and 8pipe_ooo), but were manu- 
ally switched off for correct models that do not require transitivity. Transitivity 
was enforced by triangulating the equality comparison graphs [6], and adding 
transitivity constraints for each resulting cycle of length 3. All models were for- 
mally verified by computing the abstraction function with controlled flushing [8] , 
where the user provides a flushing schedule that avoids the triggering of stalling 
conditions, thus simplifying the correctness formula. 
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Table 1 presents the results with the encoding. “Trans” CNF clauses 
represent constraints for transitivity of equality. The Boolean variables ranged 
from 62 to 2,724; the total Boolean variables were between 142 and 2,844; the 
CNF variables between 1,148 and 115,915; the CNF clauses between 6,207 and 
8,395,649; the decisions made by the SAT-checker Siege were between 5,000 
and 167,000,000, while the conflicts that it resolved were between 2,000 and 
15,000,000; and the total verification time was between 0.18 seconds and 41,886 
seconds (i.e., 11.6 hours). 

Table 2 summarizes the results when abstracting the top-level g-equations, 
and using the nested-ITA scheme to eliminate the applications of predicate 
abs-equality. The Ei Boolean variables — introduced when eliminating predicate 
abs-equality — ranged between 47 and 3,600, while the total number of Boolean 
variables increased accordingly. Three of the benchmarks — 2dbc_cc_mc_ex_bp, 
9vliw_mc_ex_bp, and xscale — required fewer CNF variables compared with 
the eij encoding, with a reduction of 38% for xscale. Five of the benchmarks 
had fewer CNF clauses relative to the encoding — with a reduction of ap- 
proximately 50% in the case of xscale and 12pipe, and a 94% reduction of the 
transitivity clauses for xscale. 

The conceptually simpler solution space, resulting from the special inter- 
preted predicate abs-equality, reduced the number of decisions for the last 3 
benchmarks by up to an order of magnitude — in the case of 12pipe, the deci- 
sions went from 167 million down to 16 million, and the conflicts from 15 million 
down to 1 million, speeding up the verification 13.73 x; in the case of 8pipe_ooo, 
the decisions were reduced from 31 million to 4 million, and the conflicts from 
15 million to 1 million, with the speedup being 14.33 times. Note that the EVC 
time for translation to SAT increased significantly for the two most complex 
benchmarks — from 57 seconds to 835 seconds (14.6 x) in the case of 12pipe, and 
from 6 seconds to 53 seconds (8.8 x ) in the case of 8pipe_ooo — but that was more 
than offset by the dramatic reduction in the SAT time. 

Using Ackermann constraints instead of nested ITEs when enforcing reflexiv- 
ity, functional consistency, and functional symmetry — see Table 3 — required up 
to 74% more CNF variables, and up to 10% more clauses in the case of 8pipe_ooo, 
resulting in smaller speedups of 9.23x for 12pipe, and 9.74x for 8pipe_ooo. 

Applying the heuristic for partial transitivity when formally verifying the two 
correct benchmarks that require transitivity — see Table 4 — resulted in a 98% 
reduction in the number of transitivity clauses, and a 13% reduction in the total 
number of clauses for 8pipe_ooo, increasing the speedup to 20 x for that model. 

The above benchmarks do not require reflexivity of equality, since the g- 
equations are between source and destination register identifiers, which are sep- 
arate instruction fields. However, in the M'CORE processor [15], a register iden- 
tifier is used as both a source and destination register for the same instruction. 
Modifying both 12pipe and 8pipe_ooo, so that one of the source registers also 
served as destination register for the same instruction, resulted in automatically 
added reflexivity constraints, since the symbolic conditions for enforcing reflex- 
ivity did not simplify to false in EVC. However, those benchmarks also passed 



210 



Miroslav N. Velev 



the safety check without reflexivity, since it is impossible for a register to be 
compared with itself in a correct implementation. 

The mechanism for enforcing reflexivity was tested by modifying 8pipe_ooo 
to require this property after the model was extended with: 

t ^ ITE{newjvar, a, b) 
fi^ {t = a) 
f2^{t = b) 

/s <— /i V /2 

where a and b are arbitrary terms, newjuar is a new Boolean variable, and 
formula /a was used as additional enabling condition in the forwarding logic of 
the processor. Note that when t = a and t = b are abstracted with abs-equality, 
and the property of reflexivity is enforced, then /a will evaluate to true, since fi 
will be true when newjvar is true, while /2 will be true when newjvar is false. 
However, without reflexivity, /a will evaluate to a symbolic expression that will 
not be constrained to evaluate to true, and the modified forwarding logic will 
be incorrect. When reflexivity was not enforced, the SAT-checker Siege took 12 
seconds to find a counterexample. However, with reflexivity constraints added 
automatically, only for the applications of abs-cquality where the conditions 
for enforcing reflexivity (i.e., the syntactic equality between the two arguments) 
do not simplify to false. Siege took time comparable to that for the original 
8pipe_ooo. 

Similarly, the mechanism for enforcing transitivity was tested with a variant 
of 8pipe_ooo. One level of the forwarding logic — where a result is forwarded to 
the ALU if a source register src equals a destination register dest — was modified 
to: 

r eg s -equal original <— (src = dest) 
fi*—{t = src) A {t = dest) 
regs-cqual <— /i V regs -equal -original 

where t is an arbitrary term, such that the new formula regs-cqual was used to 
control forwarding of data, as opposed to the original formula regs-cqual-original. 
Note that if transitivity is enforced, then ((t = src) A (t = dest)) <tA (src = dest), 
i.e., fi regs -equal -Original, so that regs -equal regs -equal -original, and 

the modified processor will function like the original, where formula regs-cqual- 
original is used to control forwarding. However, without transitivity, fi may 
evaluate to true when regs -equal jar iginal evaluates to false, so that data may 
be forwarded incorrectly. With partial transitivity, a counterexample was found 
in 15 seconds, but with complete transitivity, validity was proved in time com- 
parable to that for the original 8pipe_ooo. 

To evaluate the efficiency of abs-equality when formally verifying incorrect 
models, 10 buggy variants of 12pipe were created. While abs-cquality reduced 
the number of SAT decisions by up to 2.5 x, the number of conflicts by up to 
5x, and the SAT-checking time by up to 5x as well, the total time was always 
longer compared with the encoding (up to 7x), due to the much increased 
time for SAT translation. 
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Table 1. Results from the encoding 



Processor 


Boolean 

Variables 


CNF 

Vars 


CNF Clauses 


SAT-Checker Siege 


CPU Time [sec] 




Total 


Trans 


Total 


decisions 


conflicts 


TLSim 


EVC 


SAT 


Total 


1 dlx_c_mc_ex_bp 


62 


142 


1,148 


0 


6,207 


5x10^ 


2x10^ 


0.04 


0.04 


0.1 


0.18 


2dlx_cc_mc_ex_bp 


256 


414 


4,482 


0 


41,071 


36x10^ 


10x10^ 


0.06 


0.27 


1.18 


1.51 


9vliw_mc_ex_bp 


2,968 


3,326 


24,373 


0 


232,209 


936x10^ 


101x10^ 


0.1 


1.6 


37 


38.7 


xscale 


2,387 


2,669 


43,574 


102,480 


656,381 


72x10^ 


27x10^ 


0.2 


3.8 


21 


25 


12pipe 


2,724 


2,844 


115,915 


0 


8,395,649 


167x10'' 


15x10® 


0.4 


57 


41,829 


41,886 


8pipe_ooo 


2,129 


2,209 


35,510 


117,462 


1,191,215 


31x10® 


15x10® 


0.2 


6 


19,981 


19,987 



Table 2. Abstracting the top-level g-equations, and using the nested-ZTE scheme. The speedup is 
the total time with the Cy encoding divided by the new total time 



Processor 


Boolean 

Variables 


CNF 

Vars 


CNF Clauses 


SAT-Checker Siege 


CPU Time [sec] 


Speedup 


Ei 


Total 


Trans 


Total 


decisions 


conflicts 


TLSim 


EVC 


SAT 


Total 


1 dlx_c_mc_ex_bp 


47 


128 


1,188 


0 


6,415 


5x10^ 


1x10^ 


0.04 


0.04 


0.04 


0.12 


1.50 


2dlx_cc_mc_ex_bp 


159 


317 


4,251 


0 


32,716 


35x10^ 


10x10^ 


0.06 


0.27 


1 


1.33 


1.14 


9vliw_mc_ex_bp 


1,894 


2,252 


17,481 


0 


167,567 


936x10^ 


122x10^ 


0.1 


1.9 


41 


43 


0.90 


xscale 


333 


643 


26.857 


5,907 


326,041 


52x10^ 


19x10^ 


0.2 


2.5 


12.6 


15 


1.67 


1 2pipe 


3,600 


3,720 


136,800 


0 


4,216,460 


16x10® 


1x10® 


0.4 


835 


2,215 


3,050 


13.73 


8pipe_ooo 


2,157 


2,638 


42,365 


134,670 


1,021,721 


4x10® 


1x10® 


0.2 


53 


1,342 


1,395 


14.33 



Table 3. Abstracting the top-level g-equations, and using the Ackermann-constraint scheme. 
The speedup is the total time with the encoding divided by the new total time 



Processor 


Boolean 

Variables 


CNF 

Vars 


CNF Clauses 


SAT-Checker Siege 


CPU Time [sec] 


Speedup 


Ei 


Total 


Trans 


Total 


decisions 


conflicts 


TLSim 


EVC 


SAT 


Total 


1 dlx_c_mc_ex_bp 


47 


128 


1,254 


0 


6,592 


5x10^ 


1x10^ 


0.04 


0.06 


0.05 


0.15 


1.20 


2dlx_cc_mc_ex_bp 


159 


317 


4,627 


0 


33,756 


33x10^ 


9x10^ 


0.06 


0.27 


1.16 


1.49 


1.01 


9vliw_mc_ex_bp 


1,894 


2,252 


20,168 


0 


175,593 


848x10^ 


115x10^ 


0.1 


1.95 


40 


42 


0.92 


xscale 


333 


643 


27.839 


5,907 


328,924 


44x1 0^ 


19x10^ 


0.2 


2.7 


13.4 


16 


1.56 


12pipe 


3,600 


3,720 


192,105 


0 


4,382,554 


17x10® 


1x10® 


0.4 


839 


3,699 


4,538 


9.23 


8pipe_ooo 


2,157 


2,638 


73,680 


134,670 


1,128,542 


4x10® 


0.9x10® 


0.2 


52 


2,001 


2,053 


9.74 



Table 4. Using the heuristic for partial transitivity, abstracting the top-level g-equations, and 
applying the nested-lTE scheme. The speedup is the total time with the ey encoding divided by 
the new total time 
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Vars 


CNF Clauses 


SAT-Checker Siege 


CPU Time [sec] 


Speedup 


Ei 


Total 


Trans 


Total 


decisions 


conflicts 


TLSim 


EVC 


SAT 


Total 


xscale 


330 


612 


26,826 


4,089 


324,223 


52x10^ 


23x10^ 


0.2 


2.3 


17.1 


19.6 


1.28 


8pipe_ooo 


1,684 


1,764 


41,491 


2,772 


889,823 


4x10® 


0.9x10® 


0.2 


25 


973 


998 


20.03 
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6 Conclusions 

The paper presented a method for automatic abstraction of equations in a logic 
of equality by using a special interpreted predicate that satisfies the properties 
of transitivity, reflexivity, syntactic functional consistency, and syntactic symme- 
try. This abstraction is both sound and complete. The abstraction reduced the 
number of CNF clauses by up to 50%, and sped up the formal verification by up 
to an order of magnitude relative to the e^- method, where a Boolean variable is 
used to encode each unique low-level equation between term variables. A heuris- 
tic for partial transitivity resulted in additional speedup for correct benchmarks 
that need transitivity. Abstracting the top-level equations had better perfor- 
mance, due to the concise encoding of many low-level equations between term 
variables with a single Boolean variable, thus resulting in an order of magnitude 
reduction in the number of decisions and the number of conflicts, resolved by 
a SAT-checker when evaluating the Boolean correctness formula. 
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Abstract. A system with variable splitting is introduced for a sequent 
calculus with free variables and run-time Skolemization. Derivations in 
the system are invariant nnder permutation, so that the order in which 
rules are applied has no effect on the leaves. Technically this is achieved 
by means of a simple indexing system for formulae, variables and Skolem 
functions. Moreover, the way in which variables are split enables us to 
restrict the term universe branchwise. 



1 Introduction 

In free variable sequent calculi variable binding is separated from the rules and 
implemented by means of explicit substitutions. In consequence there are no 
side conditions which regulate the order of rule application. However, since free 
variables are then copied into different branches, this may lead to dependencies 
between branches that one will not have if a specific rule ordering is observed. 
To avoid such dependencies, the same variable can in some cases be bound to 
different values in different branches. The task of identifying exactly when this 
can be done is known as the variable splitting problem. 

The aim of this paper is to present a solution to this problem for a cut- 
free system of classical logic without equality. Attempting both to reveal the 
nature of this problem and to motivate our contribution, we shall start out with 
a brief discussion of the types of quantifier rules used in three standard proof 
systems for classical logic. To facilitate comparison we address their sequent 
calculi formulations. Following the notation of Smullyan [10] LV and R3 are 
called 7 -rules, L3 and RV are called (5-rules, branching rules are /3-type rules and 
the remaining logical rules are of of-type. A 7 -formula is a formula occurrence 
which potentially can be principal in a 7 -type inference. 

In comparing the complexity of search spaces one relevant factor is the length 
of proofs (counted in number of inference steps). Of no less importance, although 
much harder to measure, is the uniformity of the search space and the possibility 
of avoiding irrelevant steps in the search process. Some central questions related 
to proof-search are: 

1. Is it possible to apply the rules in any order? 

2. Does the system admit free variables and variable binding by means of ex- 
plicit substitutions? 



M. Cialdea Mayer and F. Pirri (Eds.): TABLEAUX 2003, LNAI 2796, pp. 214-229, 2003. 
(c) Springer- Verlag Berlin Heidelberg 2003 



A Free Variable Sequent Calculus with Uniform Variable Splitting 215 



3. Given that the system has free variables and does not constrain the intrinsic 
order of rules, is the number of explicit copies of 7-formulae on a branch 
independent of the intrinsic rule order? 

4. Can the number of explicit copies of 7-formulae on a given branch be locally 
bound by the term universe of the branch? 

A negative answer to the first question implies that there are limited possibilities 
for goal-directed search, i.e. search driven by connections or potential axioms. 
It is then hard to prevent expansion of irrelevant formulae. If the answer to 
the second question is negative, we must choose instantiation terms along with 
applications of 7-type rules. We then run the risk of instantiating quantifiers 
with irrelevant terms, and this may give rise to irrelevant inferences. A positive 
answer to the first two questions greatly improves the possibility of performing 
least commitment search. Nevertheless, it may still be the case that unification- 
based goal-directed search has a cost in terms of proof length (addressed by 
the third and fourth questions). Should this be the case, the least commitment 
strategy may give rise to redundancies in the proof objects, and the benefits 
of the strategy become harder to measure. The fourth question has to do with 
termination within decidable fragments of the language. An affirmative answer 
greatly facilitates the formulation of an efficient termination criterion. On the 
contrary, a negative answer is likely to have a negative impact both on the 
complexity of the search space and on the length of proofs (due to redundant 
inferences) . We may also fail to detect that a given sequent is unprovable in cases 
where the term universe of one open branch would have been finitely bounded, 
given another set of quantifier rules. 

For systems without free variables, and which adopt Gentzen’s eigenparam- 
eter condition (to avoid confusion we shall use ‘eigenparameter’ instead of the 
more usual ‘eigenvariable’), the answers to the first two questions are negative. 
However, the answer to the fourth is positive. If we, on the other hand, let the 
7-rules introduce free variables and the i5-rules introduce Skolem functions (the 
type of which is irrelevant here), we can postpone the choice of instantiation 
terms to the level of axioms and select them on the basis of appropriate equa- 
tions. In consequence, the rule dependencies expressed by the eigenparameter 
condition are replaced by term dependencies defined by unification problems. 
This gives systems with a positive answer to questions 1 and 2. 

However, to say that 7-rules generate free variables is not an exhaustive 
description of the free variable system. We must also specify a mechanism for 
selecting free variables, and this has an impact on the other two questions. In one 
extreme, we may select a fresh variable for each 7-rule application. This strategy 
generates variable-pure skeletons and is illustrated by the leftmost skeleton (tti ) 
below. If, in that skeleton, the two variables u\ and U2 are distinct, the skeleton 
is variable-pure. Note that the skeleton can be extended to a proof without any 
new application of a LV inference; the final skeleton can be closed by the substi- 
tution {u\/ a,U2/h} . Also note that in each case the inference which introduces 
a variable occurs above the inference which introduces the Skolem function of 
the binding; this property corresponds to the fulfilment of the eigenparameter 



216 Arild Waaler and Roger Antonsen 



condition. In the rightmost skeleton ( 712 ) the order is reversed. Note that the 
free variable u is copied into the two branches, creating a dependency which is 
absent in tti. In 7T2 we must apply a LV once more in one of the branches to 
close the skeleton {ipx is 3y{Pxy A Qx) and ^x is 3yPxy). 

ui — a U 2 — b u — a u — b 



h 

\/x^px h \fx^x 






\fx(^x^ ifU2 Qb 
\/x(px h Qb 
\/x<^x h \fxQx 



5b 



\/xipx h \/x^x A \/xQx 



yxifx, ifu h yxifx, ifu h Qb 

6a — 



yxipx,ipu h \fx^x 



\fx(px, ipu h yxQx 



yx(fx, ipu h yx^x A \fxQx 



\fx(^x h \fx^x A \fxQx 



Variable-pure skeletons correspond to free variable tableaux. As the example 
illustrates, the answer to question 3 is negative for these systems. The answer 
to question 4 is in general also negative, unless a rule ordering is selected which 
is guaranteed to fulfil the eigenparameter condition. However, question 1 then 
receives a negative answer. To remedy this situation a strategy for identifying 
universal variables was proposed in [3] . Applied to 7T2 , the strategy identifies the 
occurrences of u as universal in the branches; u can then be bound to different 
terms in different branches. However, even if this idea works in this particular 
example, it has limited range. It does e.g. not work for the sequent Wx^Px 
{Qx A Rx)) h yx{Px — > Qx) A Vx(Px — > Rx) given that the left implication 
inference occurs below the one for right conjunction. 

If the variables ui and U 2 in tti are identical, the skeleton is variable-sharing. 
This class of skeletons was identified in [11], where it is shown that leaf sequents 
of skeletons which are balanced (defined below) correspond to paths through 
matrices [6]. As this strategy for selecting variables generates freely permuting 
skeletons, the answer to question 3 is positive. However, since the cost of the 
nice permutation properties is strong dependencies among variable occurrences, 
question 4 receives a negative answer. 

Attempting to solve the redundancy problem for matrices Bibel sketched an 
idea for variable splitting [-5] . We believe that the system introduced in this paper 
can be taken as a sharp formulation of his idea, fully generalized to non-clausal 
formulae and not restricted to balanced skeletons. As skeletons of our system 
are freely permuting, the answers to the first three questions are the same as for 
variable-sharing systems. And since we can fully simulate proofs constructed in 
a calculus with eigenparameters, question 4 receives the same answer as for this 
calculus. We hence combine the best of the three quantifier treatments discussed 
in this section and can respond ‘yes’ to all four questions. 



2 The Free Variable System 

The core of the object language consists of basic formulae, inductively defined 
from disjoint, countable sets of predicate symbols, function symbols and quan- 
tification variables by means of the logical connectives A, V, V and 3. In 

addition to this the object language defines additional sets of instantiation vari- 
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ables of the form and Skolem functions of the form f^; m,n C N (the role 
of the pair is explained below). The set of instantiation terms is inductively 
defined from the instantiation variables, Skolem functions and function symbols 
of the language. Note that an instantiation term does not contain quantification 
variables. The set oi formulae is defined from the set of basic formulae by substi- 
tution: ( 1 ) a basic formula is a formula; ( 2 ) if a quantification variable x occurs 
free in a formula and t is an instantiation term, then the result of replacing every 
occurrence of x with t is a formula. Note that an instantiation variable is never 
bound by a quantifier. 

In a closed formula all quantification variables are bound. Formulae with 
instantiation terms will be generated by the rules of the calculus and do not exist 
outside such a context: their purpose is to provide a syntax for free variables and 
run-time skolemization. The arity of each Skolem function will always be clear 
from the context. 

Formula occurrences are assumed to be representations of underlying formula 
trees (cnf. e.g. [113] or [9]). Each node in a formula tree contains a label (a connec- 
tive or an atomic formula) together with a unique index pair the subscript m 
is called an oecurrence number and the superscript n is called a copy number. 
In a given formula tree all copy numbers must be identical and all occurrence 
numbers must be unique. Each node also has a polarity (L or R, denoting their 
side in sequents) and a principal type (a, /3, 7 , i5 - or none for atomic formulae). 
A node will be referred to by its index pair. Formula trees with copy numbers 
greater than 1 will always be generated from formula trees with lower copy num- 
bers. The dominance relation is defined over uniquely indexed sets of formula 
trees as the least transitive relation such that: ( 1 ) dominates ^ if the [(j-node 
is above the ^-node in its formula tree; ( 2 ) if is a 7 -node, it dominates 

Two different nodes in a formula tree are (3-related if their greatest common 
descendant in the formula tree is of principal type /3 and they are not in the 
same branch of the formula tree. If is a /3-node, then the index pairs of the 
two immediate ancestors are called (3-options for and the two index pairs are 
dual. Let S' be a set of index pairs such that each of them is a /3-option for some 
/3-type index pair and each of them is a dual to another index pair in S. A (3-path 
through S is defined as a maximal subset of S such that no two index pairs in it 
are /3-related. 

Example 1. (3a;((Pa;)| A {Qx)\)\)\ represents the rightmost formula tree. There 
are four /3-paths through { 3 , 4 , 7 ,g}; one of them is { 3 , 8 }. A shorthand notation 

for the formula occurrence above is 3x(Px A Qx)^. 

13 24' 
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A set of /3-options with no /3-related index pairs is called a splitting set. 
A formula occurrence is decorated when it is labeled with a splitting set. By 
convention empty splitting sets are not displayed. As we shall see the /3-rules of 
the system (which split branches of a skeleton) dynamically increase the splitting 
sets of their premisses so that instantiation variables can be split accordingly 
later on. Sequents are ordered pairs of the form F \- A, where F and A are sets 
of decorated, closed formula occurrences. 

A skeleton is a finitely branching tree regulated by the rules of Fig. 1 with 
an endsequent in which all occurrence numbers are distinct, all copy numbers 
are identical to 1 and all splitting sets are empty. All skeletons addressed in this 
paper are finite (infinite skeletons naturally arise as limit objects generated by 
proof search operations) . 

Henceforth, we will use the term formula for the more pedantic ‘decorated 
formula occurrence’. In Fig. 1 the formulae in F and A are called extra formulae, 
while the other formula in the conclusion is called the principal formula and the 
other formula(e) in the premiss(es) are called active formulae. Meta-language 



o-rules 

r, {^l A h A 

r^<pls,j,'fs,A 
r h (vj^ V ^r)m5, A 
Fq^lS^fjfS,A 
r h (vp^ ^ A 

F,g>is^ A 
F^{^<pl)l,S,A ^ 
F b ^IS, A 
Fi^g^D^s^A 



/3-rules 

r\pi'r ^pis,A\pi rwr I- Awr 
F\pi,ipis'r A\pi rwr./Arsi- Awr 

r, (<pj ^ h A 



Weakening 



F\- A 



LW 



r h A 
F h A 



RW 



5-rules 

Fbyg[x//"rx]g,A 
Fh A 

r,ipg[x//"rx]gh A 
F, h A 



7 -rules 

r,(Vxyp^+i)"+ig,<pg[x/u"]gh A 
r, (Vxv^^)" s h A 

Fh A 



Fig. 1. The rules of the free variable system 
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conventions: In denotes the index pair of p and S the splitting set. 

Remarks about the rules: 

f3-rules: T l±l denotes U {j.} | ^ ^}i the set of formulae in F 

where the index pair has been added to the splitting sets. In a premiss of 
a /3-rule, the index pair of the active formula is added to all splitting sets in the 
sequent except the splitting set of the active formula itself. It is immediate that 
the property of being a splitting set is preserved in this operation. 

'y-rules: These rules introduce instantiation variables where ^ corre- 
sponds to the index pair of the principal formula. In addition, the 7-rules have 
built-in an implicit contraction operation so that they also introduce new copies 
of the principal formula. The new occurrence is obtained from the principal 
formula by incrementing the copy number. 

S -rules: These rules skolemize the principal formulae in the following way: If 
{yxp’^)'!^S is the principal formula in which exactly the instantiation variables 
u = , . . . , u”’. occur, then the Skolem term f!^u is introduced and substi- 

tuted for the variable x. This 5-rule lies somewhere between a ^'’'-rule [8] and 
a 5+ -rule [4] . It is 5+-like in the sense that only variables in the current formula 
matter, not all variables in the conclusion, like the original 5-rule [7], or all rel- 
evant variables, like the 5*-rule [2]. Moreover, all formulae with the same index 
pair will introduce identical Skolem functions, which is 5“'' -like with respect to 
different branches. (A closer approximation to the 5"'' -rule could be obtained by 
skipping the copy numbers of the Skolem functions altogether.) Convention: 
denotes the Skolem function in the case that this has arity 0, i.e. when it is 
a Skolem constant. 

Weakening: The principal formula p^S is called a weakening formula. 

It is easy to see that a branch in a skeleton can be identified with a set B of 
index pairs; each /3-inference which belongs to this branch has exactly one of its 
/3-options in 33. A splitting set in the branch B is thus always a subset of B. We 
shall simply refer to a branch by the set of index pairs which identifies it. 

The implicit contraction in the 7-rules gives rise to a notational redundancy 
which should be avoided. Using the rules in an unconstrained way it is possible 
to generate a skeleton branch with a leaf of the form F, (Vxv?)” ^i, {^xp)^^ S 2 b 
A. If we apply LV to this sequent with {\/xp)'!i!^Si principal, this inference will 
generate a contraction formula (ffxp)^'^ S\. We will thus have two occurrences 
of the formula {flxp)’fff^ in the same sequent, only differing in their splitting 
sets. In this case we will use weakening to the occurrence with splitting set S\. 
More generally, a skeleton is normal if the following conditions hold for all its 
inferences: 

— if Pm^i is principal, there is no extra formula of the form p^S 2 with k > n, 

— if there is an active formula of the form p^^Si and there is an extra formula of 
the form p^S 2 with k > n, then the active formula is a weakening formula, 

— no occurrence is a weakening formula unless it satisfies the condition in the 
previous clause. 

The first condition states that we must expand a formula with a lower copy 
number before a corresponding one with a higher copy number. In the second 
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condition the extra formula has been generated by an implicit contraction 

in an inference further down in the branch. This occurrence is preferred over the 
active formula. 

The following lemma holds for normal skeletons. Since this lemma is impor- 
tant, we will in the following assume that all skeletons are normal. 

Lemma 1. Let occur in the leaf sequent of a branch B of a normal skele- 
ton. Then S is the set of all index pairs in B which are not dominated by 

The intuition behind the splitting sets is to identify instantiation variables 
by the splitting sets of the surrounding formulae. The uniformity of the splitting 
sets provides a machinery to split variables maximally without losing sight of 
logical dependencies between these. Splitting sets are assigned to instantiation 
terms and atomic formulae by the color assignment operator 0; 

- {Pti , . . . , tfe)©S' = P{h)(SS, {tk)(SS, 

- {f^h,. . . ,tk)®S = f^(ti)®S,...,{tk)®S, 

- «)©5 = < 5 . 

The variable is called a colored variable; (t)(BS is a colored term, {Pt ) ©S' 
is a colored formula. The splitting set S is in this context a color. 

We shall see in subsequent examples that the splitting mechanism in the rules 
in some cases is too liberal and in other cases insufficient. To compensate for this 
we shall assign colors in a careful way and introduce a set of so-called secondary 
equations explicitly identifying colored variables which are syntactically different 
but logically identical. Key definitions follow. 

A connection for a given skeleton branch B is an ordered pair of the form 

(Psi, . . . , Sfe) © (5 \ T) h (Pfi, ...,tk)®{T\S) 

such that {Psi, . . . , Sk)^^^ {Pii^ • ■ ■ i is a subsequent of the leaf sequent 

of the branch. S\T consists of the index pairs in B dominated by and not 
dominated by (for intuitions see Ex. 4). The connection generates k primary 
equations of the form 



{s,)®{S\T) = {U)(B{T\S). 

The connection for B also generates a set of auxiliary equations in the following 
way. Let I be the set of all /3-options in the skeleton (i.e. the union of all splitting 
sets which identify a branch in the skeleton). Let M be any /3-path through / 
such that B C M . Note that M describes a potential extension of B. Let B' be 
the set of all index pairs in M not dominated by and not dominated by 
(the index pairs of the two connection formulae). If uU is a colored variable in 
a primary equation given by the connection for B, then 

uU = u{UUB') 

is an auxiliary equation for the given connection. 
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A set of connections C defines a set of primary equations as the collection 
of primary equations generated from connections in C . It also defines a set of 
secondary equations as the set of identities between colored variables in C which 
follow from the primary equations and the auxiliary equations for C, but do not 
follow from the primary equations alone. Intuitions about secondary equations 
can be found in the discussion of Ex. 5. 

Let C be a set of connections. A substitution for C is a partial function a 
which maps colored variables of C into the term universe of C (i.e. the terms 
generated by function symbols, Skolem functions and colored variables occurring 
in C). If ^ is a colored term or a colored formula, is the result of replacing 
every occurrence of each vS in both f and the domain of a with a(vS). a is 
idempotent if for all colored variables vS, {vS)a = {{vS)a)a. It is a solution to 
an equation of colored terms t\ = t2 if t\a = t2(J- It is closing for C if it is a 
solution to all the primary and secondary equations for C. 

Let 7T be a skeleton. A set C of connection is spanning for tt if there is exactly 
one connection in C for each branch in tt. If C is spanning and cr is idempotent 
and closing for C, then (tt, C, a) is a proof of the endsequent of tt. 

Example 2 . Assume that RA is the lowermost inference in a skeleton of which the 
sequent discussed in Section 1 is the endsequent. The two leaf sequents (without 
extra occurrences of 7- formulae) are displayed below. The atomic formulae which 
give rise to connections are underlined. No auxiliary equations are generated. 



{PujfWiyS}, {Qu\)l{\} h [Pa\ul)l 



{Puif2ul)i{lo}, (<3^1)5(10} b (Qctio)ll 



yx3y{Pxy A Qx)i{ 7 } h (yxJyPxy)^ yx3y{Pxy A Qx)\{lo} b (Va;Qx))o 

Vx3y{Pxy A Qx)\ h {Vx3yPxy A VxQx)g 
1 2 485 7396 10 11 

Connections: ^’ui{7}/2(^i{7}) ^ Pa^u^ and Qu\{\q} h Qo\q. The substitution 
a = {u\{\}/a\,u\/ f\{a\),u\{\Q}/a\Q\ is closing for the two connections and 
provides a proof. 

For each inference in a skeleton, there is exactly one principal formula. We 
can thus relate inferences in a skeleton by means of how their principal formulae 
are related. Moreover, since every inference in a branch of a normal skeleton is 
uniquely determined by the index pair of its principal formula, we can use the 
notation r[^, B] to designate the inference in a branch given by the splitting 
set B. If there is no such inference in the branch, then r[^,B] is undefined. 
If the inference is of type 7 we can display this in the notation by using the 
instantiation variable; r[u!f^,B] refers to the inference r[^,B] and also shows 
that it is of type 7. Similarly, r[f!f^,B] shows that the inference is of type S. If 
a formula with index pair is principal in only one branch S, or the branch B 
is clear from the context, we can omit B and write r[” ], or r[f'ff\. 

There are three important relations between inferences in a skeleton that 
we will consider. First, the dominance relation between formula occurrences 
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gives rise to a dominance relation between inferences: ^ holds 

if dominates Second, a substitution cr gives rise to a substitution relation 
between inferences in the following way. If a{u^S) = ff.t , B denotes a branch 
with S C B, and both r[u^, B] and B] are defined, then r[u^,B] Zl r[/j., B] 
holds with respect to S. Third, for all branches B and B' in a skeleton, r\^^ B] is 
contextually equivalent to r[^,B'], i.e. inferences whose principal formulae have 
the same index pair are contextually equivalent. 

Skeletons can be represented at a higher level of abstraction by skeleton dia- 
grams in which the diagram labels denote inferences and edges denote relations 
between them. The following diagram labels are used: 

a-inference: o 7 -inference: (or a meta-symbol) 

/3-inference: A (^-inference: (or ^ meta-symbol) 

We use u, w as metasymbols for instantiation variables and a, b, c for Skolem 
constants. There are three types of links between the labels, corresponding to 
the three relations introduced above. Arrows with solid lines display the dom- 
inance relation. Arrows with dashed lines display the substitution relation and 
are labeled with splitting sets; the dashed line is labeled with S' if r Zl s holds 
with respect to S. A dotted line means that the two inferences are contextually 
equivalent. 

Example 3. 



The skeleton diagram represents one possible way of fill- 
ing out the missing details of Ex. 2. The variable u\ 
is colored in two ways: with { 7 } and {}q}. The colored 
variables u\{^} and are assigned different values. 

Incidentally, all substitution arrows point downwards. 
This property of the diagram corresponds to the eigen- 
parameter condition (in Section 3 we shall call skeletons 
with this property conforming). 




For the discussion of the following two examples we need some new concepts. 
To this end let (Ps)^^ S h {Pt T be the subsequent which gives rise to the 
connection {Ps) 0 (S' \ T) h {Pt ) 0 (T \ S). Let us say that it also gives rise to 
the unpruned connection {Ps) 0 S h {Pt ) 0 T and that the real connection is 
a pruning of the unpruned one. Let us also say that a variable in the unpruned 
connection is pruned to a corresponding variable in the real connection (e.g. 
is pruned to u” (S \ T)). 

In Ex. 2 the unpruned connections coincide with the real connections. The 
next example illustrates that this is not always the case and that it is in general 
incorrect to use unpruned connections as a basis for proofs. 
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Example 4- The sequent \/x{Px\/Qx) h \/xPx,\/xQx is not valid. Let b,c abbrevi- 

1 324 56 ^8 

ate 05, a}, respectively. The leaf sequents obtained after expanding the formulae 
in the sequent and one extra copy of the antecedent formula are given below 
(the next extra copy is not displayed). The underlined formulae give rise to a 
spanning set of connections; the corresponding primary equations are given next 
to each leaf sequent. These primary equations cannot be solved simultaneously. 
There are also four auxiliary equations, u\ = uHili '*^1 = '*^1 = 

and u\ = No secondary equations result from these. 



Leaf sequents: Prim, eq.: 

Pu\{l} , Pulil} h Pb{\ ^} , QcQ 1} u\ = b 

Pu\{l}, Qul{l} h Pb{l j}, QcU 1} ul = c 

Qu\{j}, Pulil} ^ PHI il , QcU §} ul = b 

Qu\{l},Qui{\} PHI 1},QHI 4} u\ = c 



A A 





<1 > 
b 



Observe that the corresponding unpruned connections can be closed by the 
substitution {u}{§}/6, rtflgj/c, uf {41/6, u({|}/c}. It is this mapping which is 
illustrated in the diagram above. The reason why the real connections cannot 
be closed is that u\ is a pruning of both Mi{|} and u\{l}. And the reason for 
this is that the / 3 -inference which causes the splitting of u\ does not contribute 
to any of the connections in which u\ occurs. 



Example 5. Secondary equations are in general necessary for consistency. Con- 
sider a proof of the sequent: 3x{Rx — > Px),\/xRx, 3xQx h 3x(Px A Qx). 

5 7 6 8 9 10 11 i2 1324^ 



A 



LL A 






Leaf sequents: 

( 1 ) Rul{}} ,Qa\^{}} h 3x{Px AQx){l},Ral 

(2) -Poglll , QalglgH, Va:J?a:{3g} h Pu\{l} 

( 3 ) PaHU, QaiiUll, yxRxill} ^ QHil} 



a 



I a' 

II 



Primary equations: 

(1) uH}} = al 

( 2 ) al = 

(3) = u\ 



Auxiliary equations: 

(la) uli}} = 

(lb) uli}} = ulil}} 
(3a) u\ = 



Secondary equations: 

u\ = mHsI 



Note that the formulae in the sequent correspond to the formula trees in Ex. 1 . 
The set of primary equations is solved by {ul{^/a\, u}{|}/a5, u\/a\i}, but there 
is no substitution which also solves the set of secondary equations. 
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Also, note that Uilsl connection (2) pruned to itself, but in connection 
(3) it is pruned to u\. The function of the auxiliary equations is to reintroduce 
the logical identity between colored variables which are different primings of the 
same unpruned variable. 

3 Consistency 

The system introduced in this paper is consistent and complete [12]. Both of 
these properties can be established by relating free variable proofs to proofs in 
a ground calculus with an eigenparameter condition (for which soundness and 
completeness is standard). Completeness is the easier direction; from a proof 
in the ground system it is straightforward to simultaneously construct a free 
variable skeleton and a closing substitution. The rest of this section gives an 
outline of the consistency argument. For any given proof in the free variable 
system the argument shows how one can transform it into a proof which is 
cycle- free, conforming and projective (all notions defined below). Given these 
properties, there is a proof of the endsequent in a ground calculus with the usual 
eigenparameter condition. 

Take a proof (tt, C, a). The first step is to construct a balanced skeleton from 
7T. A skeleton is balanced if for all contextually equivalent inferences r and s the 
following holds: if r' ^ r, there is an inference s' contextually equivalent to r' 
such that s' ^ s. Let tt' be the skeleton obtained by balancing tt. 

Lemma 2. The spanning set of connections C for tt is spanning also for tt' . 
Furthermore, the generated set of equations (primary, auxiliary, secondary) are 
identical. Thus, {tt' ,C,<j) is a proof . 

Side comment. It follows from Lemma 2 that for balanced skeletons it is suf- 
ficient to define auxiliary equations of the form uU = uV , where uU is a pruning 
of the unpruned variable uV . The more complex definition in Section 2 accounts 
for unbalanced skeletons as well. 

Next, we introduce a new relation > between inferences: r > s holds if there 
is an inference r' such that r ^ r' and r' is contextually equivalent to s. The 
transitive closure of > U Zl defines the reduction ordering [>. A cycle is a finite 
sequence of inferences ri, . . . , r„, for n > 2 , such that ri [> T2, . . . , > ri. We 

say that a proof contains the cycle ri, . . . , r„; if a proof contains no cycle it is 
cycle-free. A proof is thus cycle-free if and only if t> is irreflexive. 

Due to the type of 5-rules used, proofs are in general not cycle-free (as they 
would have been if all instantiation variables in the conclusion had been argu- 
ments to the Skolem function). A simple example is the proof of h 3x{Px 
WxPx) with only three rule applications. A more complex example is the follow- 
ing. 

Example 6. Let ipf be (ix^ixQx — > Px))” and be 3x{Qx — > VxPx)”. Below 
13425 6379 10 

is a proof of (pl\~ tfl. 
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“els }/®3 

{ 3 } 5 ^ V^6{3}’^*^9{3}’ 

I- iplil), PaliD^xQx 



Ui j fig 

^,vlQ,Qu\Q H i^UD^ PaUl} 



ip^, ^xQx 


— » Pu\, Quq h ipQ, Pag 


1 


\/x{\/xQx 


Px), Qu\ h Pag 


Ul 


\/x{yxQx - 


Px),Qiig h ip^^'^xPx 


(T^ 


\/x{\/xQx 


• Px) h i/)g, Quq — >■ \/xPx 


(WxNxQx 
134 2 


Px))} h 3x(Qx \/xPx)l 

5 ^ 6 8 9 10 ° 




The set of primary equations is {ugjg} = a\,u\ = Og}; there are no auxiliary 
equations. A closing substitution is given above the leaf sequents. The following 
is a cycle: r[u\] Zl ^[03], r[o3] > r[u\], r[u\] □ r[ag] and r[ag] > r[u\]. 

Lemma 3. A proof (tt', C, a) such that tt is balanced can he extended to a proof 
whieh is cyele-free. 

The full details of this proof are fairly complex [ 12 ]. The idea is to systemati- 
cally “break up” cycles by introducing fresh instantiation variables (from implic- 
itly copied 7-formulae) and assigning substitution values to these instantiation 
variables such that cycles are eliminated one by one. By changing the underlying 
substitution in this way, the substitution relation, and consequently the reduc- 
tion ordering, changes. A cycle provides enough information to pinpoint exactly 
the branches of the skeleton that should be extended and the 7-formulae in the 
leaf sequents that should be expanded to achieve this. The expanded 7-formulae 
always have a higher copy number than the 7-formulae principal in an inference 
in a cycle. All information about this is encapsulated in the diagrams. 

Example 7 . There are two ways of eliminating the cycle in Ex. 6. The first ex- 
pands the rightmost leaf sequent, which is closed by the binding u\/a\. If this 
binding is removed, the cycle would be eliminated. In order to close the skeleton 
without this binding, and with the other bindings untouched, we can introduce 
a new instantiation variable u\ and a new binding u\la\. To get the variable 
U3, we must expand (p\ in the rightmost leaf sequent. The result of doing this 
gives a new skeleton in which the rightmost branch {55} is closed by u\/a\, 
but the other new branch {g 3} is not closed. One way to close this branch is to 
introduce the binding but this would give another cycle. Another way 

is to assign u\ in that branch to the value Og, but this is exactly the binding we 
want to avoid. In the same spirit as for the first expansion, we can expand ifg in 
order to get a new variable itg, which can be sent to a§ by means of the binding 
Uglgl/a^. Then a cycle-free proof is obtained. The leftmost diagram below is a 
representation of this cycle-free extension of the skeleton. 
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Another way of elimi- 
nating the cycle consists 
of removing the bind- 
ing u\{^/a\ from the 
cycle, introducing the 
binding u\{"^/a\ and 
expanding ipQ in the 
leftmost sequent of 
the original skeleton, 
i.e. the leaf sequent in 
which Uq occurs. This 
cycle-free extension 
is represented by the 
rightmost diagram. 



The next transformation step is a permutation operation. A permutation 
variant of a skeleton is a skeleton which differ only in the order of rule appli- 
cations. Since the permutative operations are applied to balanced skeletons, it 
is sufficient to apply symmetrical permutation schemes [11]. By inspecting the 
patterns of these schemes, it is straightforward to verify the invariance property 
for balanced skeletons: the sets of leaf sequents are invariant under permutation. 
Hence any two permutation variants have identical leaf sequents. 

Permutation operations are used to generate skeletons that are conforming. 
A skeleton conforms to the induced substitution ordering Zl if for all inferences r 
and s such that r □ s, r is above s in the skeleton. This property corresponds to 
the eigenparameter condition and depends only on the order of rule applications. 

Lemma 4. Every cycle-free proof has a conforming permutation variant. 

Proof. The proof is by induction on the sub-skeletons, using the D-relation and 
the following fact. For any sub-skeleton with a non-atomic formula occurrence 
ip^S in the endsequent such that is expanded somewhere in the sub- 

skeleton, there is a permutation variant of the sub-skeleton which has as 
principal in the lowermost inference (see Lemma 2.14 in [11]). □ 

The last part of the consistency argument deals with a particular feature of 
the new system. When an instantiation variable is assigned two different col- 
ors and the resulting colored variables are assigned to different terms, a direct 
translation into a ground calculus is blocked. We say that the induced substitu- 
tion ordering □ is projective if r Zl si and r Z S2 implies that si = S2- If Al is 
projective, we say that the proof is projective. 
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Lemma 5. Every cycle-free and conforming proof has a projective extension. 

Like for cycle elimination, we can introduce fresh instantiation variables (from 
implicitly copied 7 -formulae) and assign values to these instantiation variables 
in order to construct a projective proof. By repeatedly adding 7 -inferences to the 
skeleton, removing the bindings from the substitution which makes the induced 
substitution ordering non-projective and introducing new bindings (keeping the 
substitution closing), it is possible to eliminate all “non-projective” parts of 
a closing substitution. Technically it is the primary and secondary equations 
which make this elimination go through. More precisely the argument rests on 
the following property. If r[uSi, B{\ and r-[uiS' 2 , B 2 ] denote the same inference and 
a{uS\) yf <j{uS 2 ), then we can extend Bi to B[ such that B[ has an inference 
r[uS[,B[] and such that a substitution a' is closing; a' is undefined for rtS'i, 
maps uS[ to a{uSi) and otherwise agrees with a. 

Example 8. Let a, 6 ,c be abbreviations for appropriate Skolem functions. The 
extra copy of the 7 -formula is not displayed in the skeleton. A proof of the 
sequent is given below. 



Paul ^ Pbul h Pulc{l} 



Paul Pbul ^ Pule 



h Paul Pbul 


— T 

Pule 


h 3u{Pau V Pbu 


Puc) 


h \/z3u{Pau V Pbu - 


Puz) 


h \/y\/z3u{Pau V Pyu 


. b 
Puz) 



h \/x'iy'i z3u{Pxu V Pyu Puz) 

5 1 2 




' - £> a 



The primary equations are a = = ul{l},ul = c. There are no sec- 

ondary equations. A closing substitution is {ul{\}/a,ul{l}/b,ul/c}. The sub- 
stitution ordering is not projective since Zl r[a] and Zl r[6], and 

r[a] yf r[b]. Observe that ul plays the role of both a rigid variable (ul without 
splitting set occurs in both branches) and a universal variable {ul occurs with 
different splitting sets in both branches). This skeleton can be made projective 
by expanding the 7 -formula 3u{Pau V Pbu —f Puc) in both branches; thus re- 
moving both of the bindings ul{\}!a and ul{\}/b. The diagrams suggest an 
interpretation of the operation in terms of detachment. Two of the arrows out 
from ul are detached from the node and attached to newly created nodes in the 
diagram to the right. It is not necessary to expand the /3-subformula above these 
two new nodes, because a closing substitution is reached already after applying 
R^. 
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4 Conclusion 

Compared to standard sequent calculi or tableau systems with an eigenvariable 
condition our system is at least as good wrt. both proof length and the size 
of the search space, in addition to allowing full flexibility in the order of rule 
application. There is every reason to believe that the technique can be extended 
to freely permuting free variable systems for intuitionistic and modal logics sur- 
veyed in [I I]. There are interesting questions that are not yet addressed, includ- 
ing complexity analyses and investigations of the cut rule. 
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Abstract. The Tableaux Work Bench (TWB) is a meta tableau system 
designed for logicians with limited programming or automatic reasoning 
knowledge to experiment with new tableau calculi and new decision pro- 
cedures. It has a simple interface, a history mechanism for controlling 
loops or pruning the search space, and modal simplihcation. 



1 Introduction 

Theorem provers for classical propositional modal logics have matured dramati- 
cally to the point where formulae with hundreds of symbols can be tested within 
a few seconds. Direct theorem provers like FaCT [12] and LWB [8] utilise many 
different optimisation techniques to speed up proof search in particular log- 
ics, while translational provers like MSPASS [13] utilise fast first-order theorem 
provers like SPASS. But these avenues are not always viable: FaCT cannot han- 
dle logics with an intuitionistic base; although the LWB can handle intuitionistic 
logic, it can handle only a fixed collection of logics; and although MSPASS gives 
a sound and complete prover for any first-order definable logic, a priori, it gives 
a decision procedure only for the ones that fall into decidable fragments of first- 
order logic like the two- variable fragment, or the guarded fragment. Indeed, 
MSPASS has many flags, and it is not at all obvious how to obtain a decision 
procedure for a particular first-order definable logic using MSPASS. 

While generic tableau-based provers like Blast_tac [17] provide facilities for 
experimenting with new tableau calculi, as far as we are aware, the only system 
which allows a user to experiment with different optimisation techniques, differ- 
ent proof-search strategies and different tableau calculi together is lotrec [4], 
which we discuss in Section 6. 

Existing proof editors like xpe [15], JAPE [2] and PESCA [16] provide only 
rudimentary proof search facilities (e.g. iterative deepening for PESCA), while 
blobLogic [11] contains a fixed collection of tableau rules. 

The Tableaux Work Bench (TWB) is a generic meta-tableau system designed 
for expressing and combining new tableau rules into an underlying tableau proof 
(and disproof) engine. It provides a simple user-interface and facilities to incor- 
porate or design optimisations and specific decision procedures. By dividing 
high level and low level optimisations, the user can concentrate on algorithmic 
aspects related to his or her tableau calculus, leaving to the developer more 
complex and generic performance issues about the underlying prover. The TWB 
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includes a generic history mechanism, facilities to perform simplification, to han- 
dle global assumptions and to implement more complex optimisation procedures. 
Currently, the TWB does not offer proof-editing capabilities. The TWB cannot 
possibly compete with FaCT, MSPASS or LWB in speed, but its versatility 
should be of use to the TABLEAUX community since there is no restriction to 
modal calculi, although currently, they must be propositional. 



2 Generic Tableau Algorithm 

The rules that can be specified with the TWB are those which respect the 
analytic super-formula property [7], allow history mechanisms [9, 10] and permit 
global assumptions [5]. At the moment it is not possible to specify calculi that 
require two pass tableau algorithms (a la PLTL), infinitary calculi, or explicit 
geometric relational properties like weak-directedness. However using the history 
mechanism and clever calculi design, it is possible to handle most well-known 
modal calculi. 

The TWB is based on a purely syntactic tableau algorithm. The user can 
specify the proof-search strategy governing the order of rule applications. Each 
step in the depth-first search corresponds with a rule application where a rule 
is selected if its pattern matches the formulae in the current node. Once a rule 
is selected and executed, the algorithm recursively continues the proof tree ex- 
ploration until a closed tableau is found or it is not possible to apply any rules 
(in this case the branch is open). The only axiom embedded in the system is 
x,A^A ^ jjowever this axiom can be “turned off” if it is not necessary in the 
calculus (eg.: para-consistent logic). 



3 User Interface 

The TWB is designed to be easy to use, flexible and extensible. Negated Normal 
Form (NNF) is available but not mandatory, and the user can program his or 
her own rewriting system for normal forming; see the manual [I]. 

Connective Definitions The TWB has a number of hard-wired symbols to 
express connectives with one, two or three arguments. To add a new symbol to 
the language, at the moment, it is necessary to edit the source code of the lexer 
and symbols’ parser, but in future releases, new connectives will be defined via 
the user interface itself. 

Rule Definitions The first step toward the specification of a new calculus is to 
define a set of rules. A rule is (up to) a six-tuple rule (pat, act, heuristic, 
branching, invertibility , narnie) where: pat is a pattern for the numera- 
tor; act is a pattern for the denominator(s); heuristic is an ordering func- 
tion that affects the principal formula selection strategy; branching is either 
All or Exist to indicate whether all or only one denominator must close; 
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invertibility is either Static or Trans to indicate whether the rule is invert- 
ible and name is a string in quotes to describe this rule. Heuristic, branching 
and invertibility are optional and their defaults are respectively: the null 
function (meaning no ordering), All and Static. The various components can 
be specified using a let statement inherited from OCaml in which an inter- 
nal rule name can be specified for the defined rule. For example, the classical 
propositional tableau (V) rule is: 
let or_r = 

let p = pat { "{A V B>"; "X" } A\JB]X 

and a~= act { "A" ; "X" I "B" ; "X" } A ;XjB;X 

in rule (p, a, All, Static, "Or");; 

The numerator consists of a principal formula enclosed in braces and a list 
of sets. The denominator consists of a list of branches, defined by lists of sets. 
We prefer this terminology rather than “premiss” and “conclusion” since these 
latter terms can cause confusion when using sequent calculi. The rule pattern is 
matched against the formulae in the current node and the rule action is executed 
only if the pattern is satisfied. The heuristic function can be specified in each 
rule and affects the selection of the principal formula of that rule. It is basically 
a comparison function: for example, to select the formula with higher modal 
weight the heuristic function could be defined by the user as: 
let weight fl f2 = 

let rec w = function 

I term "A & B" I term "A v B" -> w (term "A") + w (term "B") 

I term "dia A" I term "box A" -> 1 + w (term "A") 

I term A" -> w (term "A") 

I term "atom a" -> 0 
I _ -> failwith "error in weight" 
in 

if (w fl) = (w f2) then 0 
else if (w fl) > (w f2) then 1 
else -1 

The “or” rule definition above will consequently be modified to include the 

heuristic definition as rule (p, a, weight. All, Static, "Or"). It’s also 
possible to define a set of additional side conditions that must be fulfilled in 
order to fire a rule. For example a basic modus ponens rule on atomic formulae 
for the contraction-free calculus for intuitionistic logic can be coded as below 
where member (x,Y) is a user-defined function that checks if x is in the set Y. 
let mp = 

let p = pat ■[ "{ atom p -> B "X" ; memberC'atom p","X") } 

and a~= act ■[ "atom p"; "B" ; "X"} 
in rule (p, a. All, Static, "MP");; 

Non-invertible rules invariably introduce non-determinism into a calculus and 
lead to choice-points in the search procedure which are explored by backtracking. 
In the TWB, we have chosen to specify such choice points explicitly via the 
“Existential” branching construct. For example the traditional (AT)-rule is: 
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let k_r = 

let p = pat { "{dia A}" ; "box X" ; 
and a~= 

matchset "dia Y" with 
[] -> act { "A" ; "X" } 

I _ -> act { "A" ; "X" I "box X" 
in rule (p, a, Exist, Trans, "K") 



"dia Y" ; "Z" } 

OA ;DX;OY;Z 
A;X II DX;OY;Z 

; "dia Y" ; "Z"} 



where matchset is used to define two actions: one when the set OY is empty 
and the other when it is not. The Exist appellation declares to the prover that 
only one of the two denominators need close in the second case. 

In the example above, the box X part matches all D-formulae in the current 
node, hence Z contains neither □- nor O-formulae. 



Systematic Proof Search and Strategy Each set of rules is attached to 
a strategy defining the proof search procedure for the associated calculus. A strat- 
egy is defined in terms of two types of cycles (lists) containing rule names. A 
♦-cycle executes the rules in list-order until none of them are applicable. A +-cycle 
executes the first applicable rule in its list only. The strategy stops if a closed 
tableau is detected or if no rule is applicable. 

For example, the following strategy definition specifies the usual systematic 
procedure for modal logic K where the And and Dr rules are executed until they 
are not applicable (saturation step), and the (7Y)-rule above is executed once 
(transitional step): let str = strategy [ [and_r ; or_r] * ; k_r ];; 



History Mechanisms The TWB also has a history facility for efficient loop- 
checking as part of the rule definition. For example, the traditional rule for han- 
dling refiexivity in the logic KT requires an implicit contraction on the principal 
formula to make it invertible. But this rule can then be applied ad infinitum, 
and so a starring mechanism is usually employed to stop this behaviour as shown 
below left. Alternatively, explicitly specifying side-conditions and actions to be 
executed on a history Z suffices, as shown below at right where is a separator: 



□A ; A 
A; (DA)*, A 



□A not starred 



□A ; A - DA ^ Z 
A; DA ; A - DA UZ 



This can be coded in the TWB using the construct - H{ . . . } to express 
histories: 



let t_r = 

let p = pat ■[ "{box A}"; "X" - H { isnotinC'Z" , "box A") } } 
and a~= act { "A"; "box A"; "X" - H { add("Z","box A") } } 
in ruleCp, a. All, Static, "T Rule History");; 



The system also allows a light version of a history, called starring, where 
a formula is simply starred to avoid considering it more than once, rather than 
making an explicit copy of it into a history. 
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User-Defined Functions and Simplification Side conditions can be added 
to the pattern by specifying predefined functions like i snot in above or user- 
defined functions which accept a formula and return true or false. Every time 
a pattern is matched against a formula set, every such specified function is 
evaluated on every formula, and the rule is executed only if all conditions are 
satisfied. A user defined simplification procedure [14] is used as shown below: 

A\/B;X 

A; A[A:=T] | B; X{B:=T] 

let or_s_r = 

let p = pat { "{A V B}"; "X" } 

and a~= act { "A" ; "X" [ "A":= top ] I "B"; "X" [ "B":= top ] } 
in rule (p, a, All, Static, "Or Simpl");; 

Global assumptions can also be used in the TWB, and can be defined stati- 
cally or dynamically: in the first case they must be specified on the command line 
and they are present for every input formula. In the latter, the user can specify 
a function that accepts an input formula and returns a set of global assumptions 
to be used against that formula in the proof. 

4 Experiments and Performance 

The flexibility of the TWB has been tested by implementing the traditional 
history-based calculi for the logics K. KT, and S4 [9] in a modular fashion. We 
have tested the TWB using the LWB benchmarks: the TWB could solve only 
the first several formulae in the respective test formulae in under 50 seconds 
each. These times are an order of magnitude slower than the LWB and are 
hardly state-of-the-art. There are two basic reasons for such a difference. First, 
the LWB embeds many known optimisations and heuristics while the TWB 
currently allows only modal simplification. Second, the LWB uses more efficient 
data structures while the TWB currently uses naive lists. 

Conversely, the TWB easily allows us to extend the calculus for S4 into 
a calculus for S4.3 and then into (the non-first-order-definable) S4.3.1 while 
such an extension in the LWB is probably only possible for its authors. 

5 Implementation 

The TWB is implemented in OCaml [3], a strongly typed object oriented pro- 
gramming language available for many architectures. The TWB can be compiled 
either in native form, in byte code, or run via an OCaml shell, giving total flex- 
ibility. The rules and strategy definitions effectively become part of the system 
itself as they are compiled in byte code and dynamically linked to the prover 
engine. The basic data structures of the system are lists and hash tables leaving 
room for future performance improvements, but the modularity of the system 
allows easy customisation of the internal design. 
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The user interface inherits its syntax from OCaml and is in fact only syntac- 
tic sugar added to the real language itself. This adds flexibility and generality 
because it is always possible to write more complex rule definitions without us- 
ing the user interface, but with the programming language itself. In this sense 
the prover can be seen just as a library for tableau oriented theorem proving. 



6 Related Work 

We now compare the TWB with related work in more detail. 

Direct provers like LWB [8] and FaCT [12] are clearly superior if they can 
handle the sought-after logic, and the LWB, in particular, can handle intuition- 
istic logic and a long list of particular modal logics. But programming a new 
calculus into the LWB or FaCT is difficult for anyone except their authors. 

Translational provers like MSPASS [13] are equally superior if the logic is 
first-order definable and falls into a decidable fragment like the two-variable 
fragment or the guarded fragment. SPASS can even handle “second-order” logics 
like G and Grz by using a non-standard translation into first-order logic that 
mimics the traditional tableau rules for these logics. But, a priori, MSPASS does 
not provide a decision procedure for a given decidable first-order-definable modal 
logic. The SCAN algorithm [6] for second-order quantifier elimination can often 
find first-order equivalents for many second-order relational conditions. But once 
again, this does not, a priori lead to a decision procedure unless the first-order 
equivalents fall into a decidable subset of first-order logic. 

Blast_tac provides fairly basic facilities for designing new rules, and even 
allows certain rules to be marked as “undoable” (non-invertible), but it does not 
allow history mechanisms or further optimisation techniques like simplification. 
To be fair, Blast_tac deliberately trades completeness for versatility since it is 
designed to be used in an interactive setting like Isabelle and “completeness is 
hardly relevant to interactive proofs” [17]. 

The TWB is closest to lotrec [4] in that both are generic systems that 
allow a user to specify new rules and strategies for experimenting with proof- 
search. The main differences between them are the underlying execution mod- 
els. lotrec works at a global level, keeping track of all tableau nodes, and 
the accessibility relations among them in an explicit manner. For example, the 
weak-directedness frame-conditions for the logic S4.2 z3w.xRy&LxRz =k 

xRw&^yRw) can be coded explicitly in lotrec by referring explicitly to R in 
the rules. The TWB works on a local level and keeps only the information rele- 
vant to the current node, so a condition like weak-directedness must be captured 
implicitly using a particular form of cut on super-formulae; see [7]. 

Whereas the TWB makes histories explicit, these must be simulated in 
lotrec by the user using the various node and edge marking techniques provided 
by lotrec. Since lotrec uses labels to mark the nodes it creates, it can handle 
the difference operator, which the TWB cannot handle. Overall, lotrec is bi- 
ased towards semantics while the TWB is biased towards proof theory. Which 
you use is probably best determined by the logic in question. 
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7 Conclusion and Further Work 

The TWB allows users with little or no technical background in automatic rea- 
soning to encode their own tableau prover in a simple yet flexible manner. The 
code and user manual is available at http://csl.anu.edu.au/~abate/twb. 

The TWB is still a prototype and we envision much further work: we want to 
provide a sequent calculus front-end; provide facilities for calculi with “stoups”; 
provide facilities for hyper-sequents; allow nodes to contain multisets or lists 
rather than sets; allow rules which partition the side-formulae into two disjoint 
sets as needed in linear logic; and improve the speed of the underlying imple- 
mentation. 
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Abstract. Decision procedures for the propositional cases of two dif- 
ferent logical representations for an L-Predicate Logic generalizing Au- 
toepistemic Logic to handle quantified variables over modal scopes are 
described. The first representation is Second Order Logic. The second is 
Z Modal Logic which extends its S5 modal laws with laws stating what 
is logically possible. It is suggested that certain problems are more easily 
solved using one representation whereas other problems are more easily 
solved using the other. 



1 Introduction 

One interesting L-Predicate Logic is Rigid-worlds. Rigid-worlds of a theory T of 
First Order Logic (i.e. FOL) is the ’’infinite disjunction” of the worlds w which 
entail F and which for each sentence ai with free variables whose name occurs 
as an argument to an occurrence of the predicate L in F, for all w entails L'ai 
if and only if T — > holds in every world which gives L the same interpretation 
as did w. A world is a possible proposition that, for every other proposition, 
entails it or its negation. Entailment, written [w\p, is necessary implication. In 
Z Priorian Modal Second Order Logic [4] this is written as: 

{Rigid-worlds F) =df 3w{w A {world w) A ([w]A)A 
Ai=i ^ yu{{{world u) A 

- (Mi'«d)) - (M(^ - «.))))) 

where the 'ai are arguments of L in F and L has a second unwritten argument 
binding the names of free variables in ai to those variables. Rigid-worlds is in- 
teresting partly because it generalizes (propositional) Autoepistemic Logic [7] to 
a First Order Autoepistemic Logic such that quantifiers obey all the normal laws 
of FOL, the Barcan formula, and its converse, unlike [6]. Another reason, is that 
it is representable both as a sentence of Second Order Logic (i.e. SOL) and as 
a sentence of Z Modal Logic [3]. Herein, we examine the problem of representing 
Rigid-worlds in these two logics and deducing consequences in the propositional 
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subcases. Section 2 describes how Rigid-world problems are represented in SOL. 
Section 3 describes their representation in Z. Section 4 compares automatic the- 
orem provers for the propositional subcase of these logics on some propositional 
problems. Some conclusions are drawn in Section 5. 

2 SOL Representation of Rigid- Worlds 

Rigid-worlds of a theory F of FOL is equivalent to a sentence of SOL as given 
in theorem SOLI below: 

SOLI: {Rigid-worlds F) = {F A Ai=i n 

<-> ^Pi...Pm{{F Oti){TTj/Pj}j—i^rn))) 

where iri-.-iTm are all the unmodalized predicates other than L in F and where 
the 'ai are arguments to occurrences of the L predicate in F. / Pj}j=i,m is 

the substitution for each j of Pj for the predicate iTj in the preceding sentence. 
However, fixed predicates can be handled with an asymptotically simpler sub- 
formula, which may change the asymptotic size of the overall formula as given 
in theorem SOL2 below: 

SOL2: {Rigid-worlds F A Aj=i f^ii{{L' {piii)) ^ {Pi^i))) 

= (^A A,=i,/VeA(i'(p*A)) -- (P*A))A 

^Pl---Pm{{r — > Cti){TTj / Pj} j=i^m))) 

where 7ri...7Tm are all the predicates in F other than the pi predicates and where 
the 'ai are arguments to occurrences of the L predicate in F. Restricting F and 
each ai in the above formulas to have predicate symbols of only zero arity and 
eliminating any FOL object quantifiers gives propositional instances of the above 
theorems. The propositional instance of theorem SOLI is: 

SOLI*: {Rigid-worlds F) = 

F A !\i-i n{{P 0!i) yPi...Pm{{F — > 0^i){T^j/Pj}j=l,m))) 

which (with propositional constants replaced by unbound propositional vari- 
ables) is equivalent to the formula previously given in [5] which was shown therein 
to represent Autoepistemic Logic. The propositional instance of theorem SOL2 
is: 



SOL2*: {Rigid-worlds{F A Ai=i fi{P' Pi) ^ Pi))) 

= {F A Aj=i f{{L'pi) ^ Pi)A 

Ai=l,J(i'«d -- yPl-Pm{{P ^ ai){n,/P,}j^,,m))) 

A Propositional Logic example and an analogous FOL example of the SOL 
approach to deduction in Rigid- worlds are given below: 

Propositional Example: {Rigid-worlds{{L'p) — >p)) 

By SOLI* we get: {{L'p) ^ p) A {{L'p) ^ \/P{{{{L'p) ^ p) ^ p){p/P})) 
Applying the substitution gives: {{L'p) — > p) A {{L'p) ^ VP(((L'p) — *■ P) ^ P)) 
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Which is equivalent to: {{L'p) p) A {{L'p) <-> VP(((L'p) #/) ^ P)) 

Which is equivalent to: ({L'p) ^ p) A ({L'p) <-> yp({^{L'p)) P)) 

Pushing P to lowest scope gives: {{L'p) ^ p) A {{L'p) ^ {{^{L'p)) VP P)) 
which is equivalent to: {{L'p) p) A ({L'p) {{^{L'p)) — > #/)) 

which is equivalent to: {{L'p) p) A {{L'p) {L'p)) 

which is equivalent to: {{L'p) —f p) 

POL Example: {Rigid-worldsfy x{{L' {p cc)) ^ {p a:)))) 

where L has a second unwritten argument which is an association list binding 
' X to X. 

By SOLI or SOL2 we get: 

(Vx((L'(p x)) {p x))) 

A Vx{{L'{p x)) ^ VP{{{Vx{{L'{p x)) {p x))) {p x)){p/P})) 
Applying the substitution gives: 

{Vx{{L'{p x)) — > {p x)))AVx{{L'{p x)) VP{{Vx{{L'{p x)) — > {P x))) {P x))) 
The lemma given below shows that, the above sentence is just: 

\/x{{L'{p x)) ^ {p x)). 

Lemma: Wx{{L'{p x)) <-*■ VP((Vx((L'(p x)) ^ (P x))) — > (P x))) 

Proof: It suffices to prove: {L'{p x)) <-> VP((Vx((P'(p x)) — > (P x))) — > (P x)). 
We make explicit the unwritten second argument to the L predicate: 

{L'{p x){{'x.x))) <-*■ VP((Vx((P'(p x)(('x.x))) — > (P x))) ^ (P x)) 

We change the bound variable x to y: 

{L'{p x)(('x.x))) ^ yP{{Wy{{L'{p x){{'x.y))) (P y))) ^ (P x)) 

The proof divides into two parts: 

1. {L'{p x)(('x.x))) ^ VP((Vy((P'(p x)(('x.y))) ^ (P y))) (P x)) 

It suffices to prove: 

{L'{p x){{'x.x))) ^ {{yy{{L'{p x){{'x.y))) ^ (P y))) ^ (P x)) 
which holds by forward chaining. 

2. yP{{\/y{{L'{p x){{fx.y))) ^ (P y))) ^ (P x)) ^ {L'{p x)(('x.x))) 

Letting P be \z{z yf x), where x is the free x in the above sentence, gives 
{{Wy{{L'{p x){{'x.y))) {{Xz{z yf x))y))) 

^ {{Xz{z yf x))x)) ^ {L'{p x)(('x.x))) 

By lambda conversion this is: 

{{Wy{{L'{p x){{'x.y))) ^ (y yf x))) ^ (x yf x)) ^ {L'{p x)(('x.x))) 
which is equivalent to: 

((Vy((y = x) ^ ~^{L'{p x){{'x.y))))) #/) ^ {L'{p x){{'x.x))) 

which is equivalent to: {{^{L'{p x)(('x.x)))) ^ #/) ^ {L'{p x){{'x.x))) 
which is a tautology. 

[5] discusses the propositional example: 

{Rigid-worlds{{{-^{L' a)) tt) A A {{L'pi) ^ Pi))) 7T 

i=l,/ 
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where a is a randomly produced expression of clausal form Propositional Logic 
constructed from the fixed zero arity predicates pi and non-fixed zero arity pred- 
icates TTi. If the size of a is 0(c) then the SOLI* representation: 

{rh{{L'a) ^ VPi...P„((0 ^ a){7r,/Pj},=i,™))A 

Pi) VPi...Pm((0 ^ 7^" 

where P is: (((^(L'a)) ^ tt) A Ai=ij((P'Pi) ^ Pi)) 
has size 0(c -I- mf + /^), but the SOL2* representation: 

(P A ( /y {{L’pi) ^ Pi)) A ((P'a) ^ VPi...Pm((P ^ OL){TTj/Pj}j^i^rn))) 7T 

i=ij 

where P is: ((^(P'a)) — > tt) has size 0(c+m+/). This suggests that the SOL2* 
representation may be useful in proving theorems with many fixed predicates. 
This class of problems can be further simplified by renaming the P quantifiers 
and pushing them to lowest scope, giving: 

{{^{L'a)) ^ tt) A Ai=i.f{{L' P^) ^ P^)^ 

{{L'a) ^ UHL' a)) ^ 3P P) ^ VPi...P„a{7r,/P,-},=i,™))) ^ ^ 
which is equivalent to: 

{{HL'a))^n)A 

Ai=ljiHPi) ^ Pi) L ((L'a) ^ yPi...Pma{7Tj/Pj}j^iH) tt 

which is equivalent to: 

(((^(VPi...Pma{7Tj/Pj}j^iH) 77)A 

Ai=l,f((L' Pi) ^ Pi) L ((L'a) ^ yPl.:Pm.a{'Kj/ Pj}j=l,m)) 

Since L does not occur in a, the equivalences defining L constitute a conservative 
extension, and therefore may be eliminated giving: 

((HPl-Pma{TTj/ P3}j=l,m)) ^ 7t) ^ TT 

which is equivalent to: AlPi-.-PmOtiT^j / Pj}j=i,m) — ^ tt 

which is of size 0(c -I- m). To prove or refute such a theorem we try to prove: 
((VPi...PmO:{7rj/Pj}j=i_m) — ^ 71") using a tableaux sequent calculus for proposi- 
tional logic with propositional quantifiers. 

3 Z Modal Logic Representation of Rigid- Worlds 

Rigid-worlds of a theory P of FOL is equivalent to a sentence of Z Modal Logic 
[2,3] as given in theorem MLl below: 

MLl: (Rigid-worlds P) = 3k(k A (k = (P A Ai=i n ^^i((L'at) ^ ([fcjad)))) 

where ^i is the sequence of free variables in Z includes FOL, propositional 
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quantifiers, S5 Modal Logic, and some axioms stating what is logically pos- 
sible. However, a more interesting representation, also expressed in Z, is ob- 
tained by eliminating the L predicate as follows: First, using Ai=i « <-*■ 
([fc]ai)), every occurrence of L’ in F is replaced by [fc]. As names of sentences 
'ai are unquoted giving Oi, new occurrences of L may appear. Since these 
new occurrences of L appear under the scope of [fc] as do any occurrences 
of L in the ai sentences and since the original necessary equivalence implies 
^ ([fc]ai)) those L’ may also be replaced by [fc] ad infini- 
tum. When all these replacements are made we derive the equivalent expres- 
sion: 3k{k A {k = (A{L7W} ^ ^ i[k]c(i{L' /[k]}))))) where 

r{L' /[k]} represents the replacement of all L’ by [k]. Since L does not occur in 
r{L'/[k]} nor ai{L'/[k]}, {F{L' /[k]} A Ai=i.„ V7((L'a,) ^ {[k]a^{L' /[k]}))) is 
a conservative extension of F{L' /[k]} and Ai=i ^ {[k]cH{L' /[k]})) 

may thus be pulled out. The resulting representation, called the Kernel Repre- 
sentation, is: 

ML2: (Rigid-worlds F) = 

A (Ai=i,„ VA((L'a.) - ([k]adL'/[k]}))) A (k ^ (r{L' /[k]}))) 

Restricting F and each ai to have predicate symbols of only zero arity and 
eliminating any FOL object quantifiers gives propositional instances of the above 
theorems: 

MLl*: (Rigid-worlds F) = 3k (k A (k = (F A Ai=i ^ ([^]o:i))))) 

ML2*: (Rigid-worlds F) = 

A (Ai^,J(L'a,) - ([k]adL'/[k]}))) A (k ^ (r{R /[k]}))) 

In this case the fixed-point solutions can be deduced by the following algo- 
rithm: 

Procedure for Solving Modal Equivalences [1 ]: 

Step 1: Each maximal subformula a which contains k and is equivalent to ([ ]a) is 
pulled out of the equation causing it to be split into two cases using the following 
theorem schema to replace any instance of the left side by the corresponding 
instance of the right side: (k = (</> a)) ((a A (k = (cj) #f))) V ((^a) A (k = 

(</'#/))))• 

Step 2: The resulting equivalence is simplified by the laws of Propositional Logic. 

Step 3: On each disjunct the simplified value for k is back substituted into each 
such Of or (^a) sentence thereby eliminating k from them. 

Step 4- The a and (^a) sentences are then simplified using the laws of the Z 
Modal Logic. In the propositional case, a decision procedure for Propositional 
Logic such as a Tableaux Sequent Calculus may be used instead. 
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A Tableaux Sequent Calculus for Propositional Logic may then be used to 
deduce consequences from the disjunction of all the solutions. A Propositional 
Logic example and an analogous FOL example are given below: 

Propositional Example: (Rigid-worlds{{L'p) —^p)). 

By MLl* this is equivalent to: 3k{k A (fc = {{{L'p) — > p) A {{L'p) ^ ([fc]p))))) 
By ML2* this is equivalent to: 3k\k A {{L'p) ^ ([fc]p)) A (fc = (([fc]p) ^ p))) 
Using the Procedure for Solving Modal Equivalences the necessary equivalence 
representing the kernel k = {{\k]p) — > p) is solved as follows: 

Step 1: {{[k]p) A (fc = (#t ^ p))) V ((^([A:]p)) A (k = (#/ ^ p))) 

Step 2: (([fcjp) A (fc = p)) V ((^([k]p)) A (k = #t)) 

Step 3: (([p]p) A (fc = p)) V ((^([#t]p)) A (fc = #t)) 

Step 4: (k =p)\J (k = ^t) 

Plugging the solutions to the kernel necessary equivalence into the rest gives: 
3fc(fc A ((L'p) ^ i[k]p)) A ((fc = p)\J {k = #t))) 
which distributes to: 

3fc(fc A {{L'p) ^ ([fc]p)) A (fc = p)) V 3fc(fc A {{L'p) ^ {[k]p)) A (fc = #t)) 
which is equivalent to: (p A {{L'p) ^ ([p]p))) V (#t A ((L'p) ^ ([^t]p))) 
which is equivalent to: (p A {{L'p) ^ #t)) V (#t A {{L'p) ^ #/)) 
which simplifies to be: (pA {L'p)) V {^{L'p)) 
which is just: (L'p) ^ p 

LOL Example: {Rigid-worlds{\/x{{L' {p a;)) — *■ (p a;)))) 

where L has a second unwritten argument which is an association list binding 
'x to X. 

By MLl this is: 

3fc(fc A (fc = Vx((L'(p a:)) — > (p a;)) A Va;((L'(p a;)) ^ {[k]{p a^))))) 

By ML2 this is: 

3fc(fc A (Vx((L'(p a:)) ^ ([fc]((p a:){L'/[fc]})))) 

A{k^{yx{{L'{px))^{p x)){L'/[k]}))) 
which is: 3fc(fc A {'dx{{L'{p a;)) {[k]{p x)))) A (fc = Vx(([fc](p a:)) — *■ (p a)))) 

By the following Lemma we solve the kernel necessary equivalence getting: 

3fc(fc A (Va((L'(p a)) {[k]{p a)))) A 35'(fc = Va(([ ]{S a)) — > (p a)))) 

Plugging in the kernel solutions gives: 

3S’((Va(([ ]{S a)) ^ (p a))) A Va((L'(p a)) ^ ([Va(([ ((S' a)) ^ (p a))](p a)))) 
which is equivalent to: 3S((Va(([ ](S a)) ^ (p a))) A Va((L'(p a)) ^ ([ ](S a)))) 
which is equivalent to: (Va((L'(p a)) ^ (p a))) A 3SVa((L'(p a)) ^ ([ ](S a))) 
Since [ ](3SVa((L'(p a)) ^ ([ ](S a)))) is true we get just: Va((L'(p a)) ^ (p a)). 

Lemma: (fc = Va(([fc](p a)) — > (p a))) ^ 3S(fc = Va(([ ](S a)) ^ (p a))) 

Proof: The proof divides into two parts: 

1. (fc = Va(([fc](p a)) ^ (p a))) ^ 3S(fc = Va(([ ](S a)) ^ (p a))) 

Letting S be Aa(fc — > (pa)) gives: 

(fc = Va(([fc](p a)) — > (p a))) {k = Va(([fc](p a)) — *■ (p a))) which holds. 
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2. 3S{k = Vx(([ ]{S x)) {p x))) ^ {k = Vx(([fc](p x)) {p x))) 

Using the hypothesis to replace k in the conclusion it suffices to prove: 
(Vx(([ ]{S x)) (p x))) = Vx(([Vx(([ ]{S x)) ^ {p x))]{p x)) (p x)) which 
is true. 

[5] discusses the propositional example: 

{Rigid-worlds{{{-^{L' a)) — > tt) A A ((lVO-pO))-- 

i=l,/ 

where a is a randomly produced expression constructed from the fixed zero 
arity predicates pi and non fixed zero arity predicates tt^. By ML2* the modal 
representation is: 

3k{k A {{L'a) ^ ([fc]a)) A (Ai=i./((-^^'P*) ^ ([fc]p^))) A (fc = (((^([fc]a)) ^ 
A Ai=i j(([fc]Pz) ^ P*)))) 

which is of size 6>(c+ /) if a is of size 0(c). Ignoring the conservative extention 
L, a Tableaux Sequent Calculus for Propositional Logic is then used to try to 
prove 7T from the disjunction of all the solutions to the kernel. 

4 Results and Comparison of SOL 
and Z Modal Logic ATPs 

To test the effects of the SOL and the Z Modal Logic representations of Rigid- 
worlds we applied our automatic theorem provers for solving propositional prob- 
lems in these representations to prove two classes of test theorems discussed in 
[5]. These theorems were of the form: 

{Rigid-worlds{{{-^{L' a)) — > tt) A A ((iVd-Pd))-- 

i=l,/ 

where a is a sentence in clausal form not containing the L predicate. Each clause 
has 3 randomly chosen literals. Two tests were made. Test 1 involved a constant 
number of clauses and a linear increasing number / of fixed predicates. Test 2 
involved the case where / = 4 and an exponentially (i.e. a power of 2) increasing 
number of clauses. The results of Test 1 and Test 2 are given in Table 1 and 
Table 2 respectively. 



Table 1 




-»— SOL 
■ Modal 
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Table 1 shows that the execution time of the Modal ATP appears to increase 
exponentially as the number of fixed predicates increases; whereas the SOL ATP 
appears to increase at an asymptotically slower exponential rate. Conversely, 
Table 2 shows that the execution time of the SOL ATP appears to increase 
linearly as the number of clauses increases; whereas the Modal ATP appears to 
take constant time. 



Table 2 





Clauses 



5 Conclusion 

The existence of three different representations (i.e. Rigid-worlds, SOL and Z 
Modal Logic) for a nonmonotonic system allows different automatic theorem 
proving approaches to be developed. The results given herein suggest that dif- 
ferent representations are useful for solving different classes of problems and, 
therefore, that a better automatic deduction system may be constructed by us- 
ing multiple representations. One such approach would be to determine the class 
of a problem and then use the representation that was best for that class. Al- 
ternatively, the apparent asymptotic differences in the deductive behavior of 
different representations suggests that one could also attempt to solve a prob- 
lem (whose class was unknown) with multiple representations at the same time 
without wasting much effort. 
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Abstract. The Logistica 2.0 Deduction System Implementation Tech- 
nology is a programming language extension to R5RS Scheme which 
automatically computes all possible combinations of values of multiply 
valued subexpressions. Multiple values are generated by multiple defini- 
tions of a symbol and by allowing Second Order pattenrs such as seg- 
ment variables, which may match in different ways, as the parameters 
of lambda abstractions. This technology is briefly illustrated with an ex- 
tensible deduction system involving the derivation of an axiom schema. 



1 Introduction 

Logistica 2.0 is a system for implementing automatic deduction systems and for 
embedding them into larger Artificial Intelligence reasoning applications. The 
basic idea of Logistica is to supplement the language facilities of R5RS Scheme 
[14], a particularly elegant dialect of Lisp [17] with additional capabilities in- 
cluding allowing symbols to be symbolic, variables to be multiply defined, and 
complex patterns such as segment variables to occur in the formal parameter list 
of lambda abstractions. A simple example illustrating some elementary capabil- 
ities of Logistica is given in section 2. Some conclusions are drawn in section 3. 

2 A Simple Example 

A fundamental problem in building Automatic Deduction Systems (and in build- 
ing those applications such as automatic program verification systems [2,11], 
automatic complexity analysis systems [7], automatic design verification sys- 
tems [10], and automatic design change systems [8] which depend on underlying 
automatic theorem proving technology) is how to allow them to increase their 
capabilities by incorporating and using previously proven rules of inference in 
proving subsequent theorems [5,6]. Although at first glance, one might think that 
this problem is solved by simply proving a lemma from the primitive axioms of 
the formal theory and then using it as a hypothesis in proving the theorem, this 
simplistic description ignores the fact that usually it is not actually a lemma 
which is used to prove the theorem, but instead it is an inference rule expressed 
in some metalanguage of that formal theory. Such inference rules are important 



M. Cialdea Mayer and F. Pirri (Eds.): TABLEAUX 2003, LNAI 2796, pp. 246—251, 2003. 
(c) Springer- Verlag Berlin Heidelberg 2003 



Logistica 2.0: A Technology for Implementing Automatic Deduction Systems 247 



because they package up into the rule a significant amount of control information 
for the deductive process. For example, in trying to prove that p+q=r+p+r we 
would like to cancel the p’s leaving the subgoal q=r+r to prove later. If we try to 
make this inference using the cancellation lemma of addition, namely: x+y=x+z 
iff y=z. Letting x:=p and y:=q we unfortunately find that r+p+r cannot in gen- 
eral be an instance of x-l-z. Thus this cancellation lemma cannot be used in a 
direct manner to simplify the above equation. However, we could achieve this 
simplification if this cancellation lemma of addition were replaced by a general 
cancellation rule of inference expressed in the English metalanguage as: 

”A sum containing a number equals another sum containing the same 
number if and only if the first sum with one occurrence of that number 
removed is equal to the second sum with one occurrence of that number 
removed.” 

In this case, letting the term in this inference rule be p, the equation p-|-q=r-|-p-|-r 
would then be seen to be equivalent to q=r-|-r since it is that equation with 
the two occurrences of p deleted. Logistica can represent this inference rule in 
visually appealing manner as a single line of code: 

(define (=(+ _a x _b) (+ _c x _d)) 

(=(+ .a .b)(+ .c .d))) 

When =, -b, p, q, and r are symbolic (i.e. defined to return themselves if no other 
rule is applicable) the application of this definition results in the appropriate 
cancellation: 

(=(+ p q) (+ r p r)) => (=(+ q) (+ r r)) 

This Logistica program can be automatically proven to be a derived rule of 
inference of Number Theory [9] by simply defining some of the Peano Axioms 
of Number Theory and Varyadic structures with more primitive basic laws of 
recursion and mathematical induction as follows: First, varyadic functions, such 
as the N-ary plus written as: +, are defined in terms of binary functions, such as 
binary plus which is written as: ++, as follows: 

(define (+ x _L) (++ x(+ _L))) 

(define (+) 0) 

(define (make-ind(^p L)) 

(and (^p ’ 0 ) 

(->('^p L) (^p(cons(gensym)L))))) 

The first definition, which will be called 4-list, says that -I- of one or more ar- 
guments is binary sum (i.e. -I — h) of the first argument with the sum of the 
remaining arguments. The second law, which is called -|-() says that the sum 
of no arguments is zero. The third law is the induction law for lists. It is used 
to prove general statements about segment variables. In this context it states 
that a property is true of zero or more arguments if and only if it is true of no 
arguments and if it is true of n arguments then it is true of n-l-1 arguments. For 
example, this law transforms: (foo _L) into: 
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(cind(f 00 _ ’ 0 ) 

(->(foo _L) (foo _(cons gl L)))) 

which splices in as (and(f oo) (-> (f oo _L) (foo gl _L)))). Second, we define 
some axioms dealing with binary plus (i.e. ++) which are easily proven from the 
Peano axioms of number theory [Skolem]. The following Logistica definitions 
define two such axioms. 

(define (++ x(++(!test y(<< y x)) z)) 

(++ y(++ X z))) 

(define (=(++ x y) (++ x z)) (= y z)) 

The first definition is the commutativity of binary plus. This definition re-orders 
terms across a level of ++ expressions where << is an alphabetic lexicographic well 
ordering on such terms. ! test succeeds in matching if its first argument matches 
and its second argument is true. The second law says that an two binary sums 
with identical first arguments are equal if and only if their second arguments are 
equal. 

Using these definitions, some elementary laws of equality and logic and sup- 
porting definitions such as lexicographic ordering the cancellation rule of infer- 
ence can be proven as by evaluating a sequence of such rules of inference. As 
each such rule of inference in the sequence is proven, it is incorporated as new 
Logistica definition by orienting them, translating them to Logistica, and defin- 
ing them. Orienting rules of inference is required since we must be able to apply 
them unidirectionally. This is done by choosing the left and right sides of each 
rule such that the left side of the rule is greater than the right side with respect 
to some well-founded complexity ordering. Here is an example call to a Logistica 
program which does all this: 

( justifyAndCompile 

(=(+ _a X -b) (+ X _a _b)) 

(iff(=(+ _a X _b) (+ _c X _d)) 

(=(+ -a _b)(+ _c _d))) ) 

The result of this call is to prove the rule of inference in the input list in the order 
given and to add each such rule of inference as a new Logistica rule immediately 
after it is proven: 

Metatheorem: VaryadicCommutativity of -I- : -I- comm 

Proof: (= (-1- _a x _b) (-1- x _a _b)) :-|- list 

(= (-1- _a X _b) (-1—1- X (-1- _a ~b))) :symmetry of = 

(= (-1—1- X (-1- _a -b)) (-1- _a X _b)) :induction 1.1, 1.2 
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1.1 (= (++ X (+ _b)) (+ X _b)) :+ list 

(= (++ X (+ _b)) (++ X (+ -b))) :reflexitivity of = 

1.2 (->(=(++ X (+ _a -b)) (+ -a x _b)) 







(= 


= ( + + X 


(+ w _a 


-b)) 


(+ w _ 


a X -b))) 




:+ list (twice) 


(- 


->(= 


(++ 


X (+ _a 


-b)) (+ 


_a X 


-b)) 










(= 


(++ 


X (++ w (+ _a . 


•b))) 


(H — h W 


(+ _a X . 


-b)))) 


:++AC 


(- 


->(= 


(++ 


X (+ _a 


-b)) (+ . 


_a X 


-b)) 










(= 


(++ 


w (++ : 


X (+ _a . 


•b))) 


(++ w 


(+ _a X . 


-b)))) 


:= substitution 


(= 


= (++ w (+ _a X . 


■b)) (++ 


w (+ _a X . 


•b)))) 




:reflexitivity of 



#t 



This rule is not orientable since the 2 sides are permutations of each other; 
therefore, we compile extra code into it to apply the rule only if the left side is 
greater than the right under our ordering. 

(define(+ _a x _b) 

(if (andCnot (equal? (+_a x _b) (+ x _a _b))) 

(<L (+ X _a _b) (+ _a x _b))) 

(cut ! (+ X _a _b) ) 

#f ail) ) 



Metatheorem: +VaryadicCancellation for +: 



Proof: (<-> (=(+ -a x ~b)(+ _c x _d)) (=(+ -a -b)(+ _c ~d))) 

:+Comm (twice) 

(<-> (=(+ X _a -b)(+ X _c -d))(=(+ -a -b)(+ _c _d))) 

:+list (twice) 

(<-> (=(++ X (+ _a -b))(++x (+_c -d)))(=(+ _a -b)(+ _c _d))) 

:+cancel 

(<-> (=(+ -a -b)(+ -c _d))(=(+ -a _b)(+ _c _d))) 

:reflexitivity of = 



#t 



This inference rule is orientable according to our ordering and is thus added 
to this environment: 

(define (=(+ _a x _b) (+ _c x _d)) 

(=(+ .a .b)(+ .c .d))) 

The simplicity of this representation of inference rules and their justification 
may be contrasted with metatheoretic approaches, such as the meaning function 
approach [4] applied to this example in [3]. 
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3 Conclusion 

It is especially easy to represent environments of rule systems and axiom schemas 
in Logistica. In addition, because Logistica is essentially the addition of synergis- 
tic features to an already well-developed programming language based on higher 
order logic [12], it is also easy to embed such deduction systems into larger Ar- 
tificial Intelligence programs. By embedding deduction into a system including 
Higher Order Logic we do not separate logic and control as suggested in [13]. 
Instead, we merge Logic and Control as suggested in [15, 16] but in a more 
sophisticated manner than is done in First Order Logic or in the Horn clause 
subset of First Order Logic. Instead, like [1] Logistica mixes logic and control in 
the framework of a Higher Order Logic. 
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Abstract. Constraint merging tableaux maintain a system of all clos- 
ing substitutions of all subtableau up to a certain depth, which is incre- 
mentally increased. This avoids backtracking as necessary in destructive 
first order free variable tableaux. The first successful implementation 
of this paradigm was given in an object-oriented style. We analyse the 
reasons why lazy functional implementations so far were problematic (al- 
though appealing), and we give a solution. The resulting implementation 
in Haskell is compact and modular. 



1 Introduction 

Until recently, implementations of free variable tableau proof procedures suffered 
from the necessity to backtrack over branch closing substitutions, if completeness 
was not to be sacrificed [3]. The central problem is that substitutions destruc- 
tively change the rigid variables occurring in tableaux, which leads to complex 
dependencies between substitution and extension steps. Although by now there 
are ways to “repair” a tableau after a destructive closure step, the resulting 
proof procedures have unusual and relatively complicated rules, and a serious 
implementation of these ideas was not tried so far. 

A fundamentally different way to cope with destructive closing substitutions 
is to simply enumerate all possible closing substitutions of a tableau in parallel. 
The fact that substitutions can be seen as term constraints suggests the phrase 
constraint tableaux [4] for a tableau procedure along these lines. Traditionally, 
this was considered too expensive in order to be viable and, if one uses naive 
breadth-first search, it certainly is. The breakthrough came with [1, 2], where a 
“lazy” stream of closing substitutions is associated with the subtableau below 
each tableau node. This requires to merge streams of closing sustitutions, so 
the resulting calculi are called constraint merging tableaux. In the presence of 
refinements such as pruning, subsumption, and simplification, they are a basis 
for a competitive implementation. 

The implementation [1, 2] is object-oriented, but the term “lazy” suggests 
to use a programming language supporting lazy evaluation. Such implementa- 
tions in Haskell were given in [5] and [4]. Our approach is related to the latter. 
Both, however, suffer from drawbacks, which we were able to remedy. A lazy 
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functional implementation is less straightforward than it seems at first. At its 
heart is the merging of streams of substitutions at branching nodes: if refute 
yields a stream of closing substitutions for a set of formulas, then the code for 
disjunctive formulas looks like this: 

refute {0V^}UB = merge (refute {<;i}UB) (refute {■!/)} UB) 

The merger drives lazy evaluation of subtableaux. As we show below, one must 
design it very carefully to ensure fairness (and, hence, completeness). This was 
not properly addressed in functional implementations so far. Another problem is 
that any competitive implementation of a tableau-based proof procedure needs 
to incorporate refinements such as pruning and subsumption. Giese [2, p 45] 
reports that an attempt to combine fairness and refinements in a functional 
style resulted in a merger of overwhelming complexity. Both [5, 4] are not fair 
(as we show below) and do not feature refinements. 

We implemented a constraint merging tableaux procedure in lazy functional 
style including the following features: (a) we identify and describe the fairness 
problems present in previous approaches and we solve them cleanly; (b) our 
implementation is compact (less than 100 lines), making it suitable for experi- 
mentation; (c) the input formula language may contain arbitrary Haskell func- 
tions; (d) basic refinements to improve efficiency. The source code is available at 
http : //www. cs . Chalmers . se/~nik/lazy. 

2 The Implementation 

In [5], explicit data structures are built up to represent tableaux, while the ap- 
proach in [4] dispenses with them and keeps only the system of term constraints 
that would result from applying the rules. In our approach the notion of a for- 
mula is central. We exploit that certain kinds of first order formulas completely 
determine a tableaux for them up to the substitutions applied. Formally, call 
a free variable tableau for a formula to which no closure rule has been ap- 
plied, a tableau template. Note that a tableau template, in general, is an 
infinite tree. 

Now, a formula is identified by such a tableau template, which in turn is 
represented by a Haskell function that produces a stream of closing substitutions 
for this formula and a given tableau branch. Expressions of type TT can be 
constructed using the following functions: 

fresh : : (Term -> TT) -> TT 

pLit :: Atom -> TT (<l>) :: TT -> TT -> TT 

nLit : : Atom -> TT (<&>) : : TT -> TT -> TT 

For example, the formula 4> = {~^p V q) A^q could be constructed as follows: 
“phi = (nLit p < I > pLit q) <&> nLit q” . We allow disjunction, conjunc- 
tion, plus negation at the literal level. Universal quantification is discussed below. 
Functions have a string identifier, variables are identified by a unique label gen- 
erated by the system. For simplicity, atoms are typed as terms. Here we declare 
a constant zero, a one-place function sue, and a one-place predicate nat: 
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zero = Fun "zero" [] sue x = Fun "sue" [x] nat x = Fun "nat" [x] 

Now we can build formulas containing variables. Consider, for example, the defi- 
nition “sucNat X = nLit (nat x) <|> pLit (nat (sue x) )”. Here, we view 
the formula sucNat(x) with free variable x as a Haskell function sucNat with 
formal parameter x. 

At the heart of first order theorem proving is the capability to obtain unlim- 
ited numbers of fresh instances of universally quantified formulas. We provide 
directly an operation called fresh that takes a formula with a free variable 
and produces an instance, where the free variable has been replaced with a new 
unique (ie, “fresh”) name. The following example demonstrates how to emulate 
universal quantification, using fresh and recursive definitions. 

zeroIsNat = pLit (nat zero) 
twoIsNotNat = nLit (nat (sue (sue zero))) 
uSueNat = fresh sueNat <&> uSueNat 

countToTwo = zeroIsNat <&> twoIsNotNat <&> uSueNat 

The first order formula nat (0) A ^nat(s(s(0))) A (Vx)(^nat(x) V nat(s(x))) 
is represented by this code, but the tableau building functions of type TT do 
much more than representing a formula: they build an infinite tableau template. 
There are infinitely many possible tableau templates for a given formula, how- 
ever, a tableau template is completely determined by the partieular definition of 
countToTwo. We happened to arrange the constituents of countToTwo in a fair 
manner, hence, tableau completeness guarantees that the corresponding tableau 
template can be completed to a proof. 

Our formula input language can be mixed with arbitrary Haskell code to 
make it more expressive. It is easy, for example, to code a resource-bounded 
quantifier that can use at most n instances of its scope. The language of tableau 
templates allows even to control the shape of proofs. The following definition, 
for example, forces tableaux for the counting example to become linear: 



linSucNat x = nLit (nat x) <|> (pLit (nat (sue x)) <&> fresh linSucNat) 
countToTwo’ = zeroIsNat <&> twoIsNotNat <&> fresh linSucNat 



The trick is that recursion is only done in the right part of the disjunction, which 
leads to linear trees. 

3 The Difficulty of Merging Substitutions 

Consider the problem countToTwo from above. Below is the initial part of the 
tableau template for countToTwo, annotated with closing substitutions for each 
subtableau. At each node we provide the following information: in the first line, 
a node identifier, followed by the formula the node is labelled with. In the re- 
maining lines (if any), the new closing substitutions that are possible at this 
node. The notation ON refers to the node label that is used to close the tableau 
(besides the current node). 
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We consider the following strategy for merging substitutions: at each node, 
look at the combination of each pair of substitutions, where one substitution is 
from the left and one from the right subtableau. Wlog start with the first sub- 
stitution in each subtableau, followed by the second substitution in the left and 
the first in the right. This weak requirement is enough to cause non-termination 
independently of how the remaining Cartesian product is enumerated. 

The first pair of substitutions in the tableau above are the incompatible 
ones of node 3 (X2=zero) and node 6 (X2=suc (zero) ). Then our enumeration 
looks for the next solution for node 3. This second substitution at node 3 must 
come from the combination of substitutions in nodes 4 and 5. Again, the first 
substitutions at this level are combined: X3=zero at node 4 and X3=suc (zero) at 
node 5. Again, they are incompatible, leading yet to another level of expansion. 
Note the similar situations in nodes 2, 3 and 4: all need the second element in 
their left subtree to compute the next pair of solutions. This is an invariant for 
the “leftmost” nodes of the constraint tree, which makes the whole computation 
non-terminating . 

In the example, the mistake occurs first in the merging of the substitutions 
belonging to nodes 4 and 5: it would have been correct to compute the combi- 
nation of all new substitutions at this level at the same time, before proceeding 
any further. This would result in the compatible pair (X3=zero,X2=suc (X3) ), 
which quickly terminates the search. 

Our example can be adapted to any merger built from any systematic enu- 
meration of Cartesian products of single substitutions. This shows that any such 
approach is bound to be incomplete due to non-termination. For example, the 
implementations in [4, 5] suffer from exactly this problem. 

Our solution combines, at each level of the search, all new substitutions with 
each other and passes them up, before proceeding further. To ensure this, one 
needs to record which substitutions were generated at the same node. The most 
straightforward way is to use doubly nested lists of substitutions, where the 
“inner” lists comprise exactly those substitutions belonging to the same node. 

4 Refinements 

For a subtableau starting with the introduction of a fresh variable, it suffices to 
know that it is closable for some value of this variable. In order to get rid of 
these local variables one introduces existential quantification in the constraint 
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language, and existentially binds local variables as they “propagate upwards” 
past their scope. This technique decreases the number of variables in constraints 
considerably. 

During merging, if two constraints ci and C 2 , where C 2 is subsumed by Ci, are 
found in one of the input streams, then it is possible to throw away C 2 . This is 
safe, because no solutions are lost in the subsumed constraint. 

The vanilla implementation realizes a branch selection strategy with breadth 
first effect. Often it is more efficient to prioritize such subtableaux that suffer 
from a dearth of closing substitutions. A natural optimization is to allow the 
mergers to focus on only one branch until at least one solution is found in both 
of their branches. 

5 Conclusion and Future Work 

Our implementation is still naive. We were more interested in expressing the core 
algorithm in a concise way than producing a competitive theorem prover, so we 
paid little attention to efficiency of data structures. However, from the SYN 
category of TPTP 2.5.0, which contains about 1000 problems, 448 problems 
could be proven with a time limit of 5 min. Most of the successfully proved 
problems where classified as simple in TPTP, but 28 had a rating between 0.12 
and 0.67. 

In the future we would like to add more refinements, such as simplification [2], 
and equality handling. We made some experiments with priming [3], which in- 
deed gives a significant performance boost, but makes the implementation much 
less elegant. Hyper tableaux proved to be an effective refinement, and should be 
implemented as well. Our prover has a facility for graphical output which could 
not be described here for lack of space. There should be a library of formula 
constructors, for example, for various kinds of quantifiers or abstract data types. 



References 

[ 1 ] M. Giese. Incremental closure of free variable tableaux. In R. Gore, A. Leitsch, 
and T. Nipkow, editors, Proc. Inti. Joint Conf. on Automated Reasoning IJCAR, 
Siena, Italy, volume 2083 of LNCS, pages 545-560. Springer- Verlag, 2001. 252 

[2] M. Giese. Proof Search without Backtracking for Free Variable Tableaux. PhD 
thesis, Fakultat fiir Informatik, Universitat Karlsruhe, July 2002. 252, 253, 256 

[3] R. Hahnle. Tableaux and related methods. In A. Robinson and A. Voronkov, 
editors. Handbook of Automated Reasoning, volume I, chapter 3, pages 101-178. 
Elsevier Science B. V., 2001. 252, 256 

[4] B. O Nuallain. Gonstraint tableaux. In Position Papers presented at International 
Conference on Analytic Tableaux and Related Methods, Copenhagen, Denmark, 
2002. 252, 253, 255 

[5] J. van Eijck. Constrained hyper tableaux. In L. Fribourg, editor, Proc. Computer 
Science Logic, Paris, France, volume 2142 of LNCS, pages 232-246. Springer- 
Verlag, Sept. 2001. 252, 253, 255 



SOLAR: A Consequence Finding System 
for Advanced Reasoning 



Hidetomo Nabeshima^, Koji Iwanuma^, and Katsumi Inoue^ 

^ University of Yamanashi 
4-3-11 Takeda, Kofu-shi 400-8511, Japan 
{nabesima, iwanumajOiw. media. yamanashi .ac.jp 
^ Kobe University 

Rokkodai-cho, Nada-ku, Kobe 657-8501, Japan 
inoueOeedept . kboe-u .ac.jp 



1 Introduction 

SOLAR is an efficient first-order consequence finding system based on a con- 
nection tableau format with Skip operation. Consequence finding [1, 2, 3, 4] 
is a generalization of refutation finding or theorem proving, and is useful for 
many reasoning tasks such as knowledge compilation, inductive logic program- 
ming, abduction. One of the most significant calculus of consequence finding 
is SOL [2]. SOL is complete for consequence finding and can find all minimal- 
length consequences with respect to subsumption. SOLAR (SOL for Advanced 
Reasoning) is an efficient implementation of SOL and can avoid producing non- 
minimal/redundant consequences due to various state of the art pruning meth- 
ods, such as skip-regularity, local failure caching, folding-up (see [5, 6]). 

SOLAR also achieves a good performance as a theorem prover. For 1,921 
problems in TPTP v2.5.0 library which do not contain the equality, the ex- 
perimental results show that SOLAR can solve 52% problems within 300 CPU 
seconds for each problem, whereas 50% are solved by OTTER 3.2. SOLAR is 
written in Java, and thus has the desirable features of high programmability, 
extensibility, reusability, and platform independence. Hence SOLAR can easily 
be incorporated into many AI programs. According to our knowledge, SOLAR is 
the first sophisticated implementation of first-order consequence finding calculus 
in the world. 

2 Consequence Finding Procedure SOL 

Consequence finding [1, 2, 3, 4] is a computation problem for finding important 
consequences from an axiom set, and is a generalization of refutation finding or 
theorem proving. However, in practice, the set of theorems derivable from an 
axiom set might be infinite, even if it is restricted to containing only the conse- 
quences that are minimal with respect to subsumption. Toward more practical 
automated consequence finding, Inoue [2] reformulated and restricted the atten- 
tion to the problem for finding only “interesting” consequence formulas, called 
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characteristic clauses. The concept of characteristic clauses is useful for various 
reasoning problems of interest to AI, such as nonmonotonic reasoning, abduction, 
knowledge compilation (see [2, 1] for details), inductive logic programming [7, 8], 
multi-agent systems [6], bioinformatics [9] and distributed knowledge bases [10]. 

Inoue [2] proposed SOL-resolution for mechanically finding characteristic 
clauses within first-order logic, which can be viewed as either an extension of 
Loveland’s model-elimination-like calculus [I I] with Skip operation or a general- 
ization of Siegel’s propositional production algorithm [12]. Compared with other 
calculi, SOL-resolution can focus on generating only the characteristic clauses 
rather than all logical consequences. SOL-resolution is one of the most advanced 
and significant calculi for the consequence finding problem. 

The original SOL-resolution [2] was given in a model-elimination-like chain 
format [11]. Iwanuma et al. [5] reformulated SOL-resolution within the frame- 
work of connection tableaux [13, 14] and proposed various complete pruning 
methods [-5, 6] for enhancing the efficiency of SOL tableaux such as skip- 
regularity, local failure caching, folding-up. 

We give a brief view of SOL tableaux. A production field V is a, pair, 
{L, Conct), where i is a set of literals and is closed under instantiation, and 
Cond is a certain condition to be satisfied. When Cond is not specified, V is 
denoted as {L). A clause C belongs to V = {L, Cond) if every literal in C be- 
longs to L and C satisfies Cond. When A is a set of clauses, the set of logical 
consequences of A belonging to V is denoted as Th-p(A). A production field V 
is stable if, for any two clauses C and D such that C subsumes D, D belongs 
to V only if C belongs to V . The stability of a production field is important in 
practice [2], and we assume in this paper that production fields are stable. 

Example 1. Let C = £+ U C~ be the set of all literals in the first-order lan- 
guage, where and C~ are the positive and negative literals in the language, 
respectively. The following are examples of stable production fields. 

1. 7^1 = (£): Th-pj(A) is the set of logical consequences of A. 

2. V 2 = Tli732(A) is the set of all positive clauses derivable from A. 

3. 7^3 = (£~, length is fewer than k)\ Td-p^{E) is the set of negative clauses 
implied by A consisting of fewer than k literals. 

On the contrary, Vi = (£, length is more than k) is not a stable production 
field. For example, if fc = 2 and L = {^P, Q, R}, then C = ~^P V Q subsumes 
D = ^P \J Q\J R, and D belongs to Vi while C does not. 

Given a set of clauses A, a newly added clause C and a production field V, an 
SOL-deduction from E + C and V satisfies the following: 

Theorem 1. (Soundness and Completeness of SOL-Deduction). [5] 

1. Soundness: If a clause S is derived by an SOL-deduction from E C and 
V, then S belongs to Th-p^EU {C}). 

2. Completeness: If a clause F does not belong to Thp(E) but belongs to 
Thp{E U {C}), then there is an SOL deduction of a clause S from E C 
and V such that S subsumes F. 
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Fig. 1. Example of a tableau 



In the above, S is an interesting clause newly obtained by adding C to E. 
We briefly explain SOL resolution by the next example. 

Example 2. 



C = p{X)Vs{X), 

E={q{X)\/^p{X), -s(F), -p(Z)V-g(Z)Vr(Z)}, 

V = (£“*■, length is less than 2). 

Figure 1 is one of tableaux that is derived by an SOL-deduction from E + C 
and V. An SOL-deduction uses three inference rules — Skip, Extension and 
Reduction. Skip is a rule that skips a literal belonging to the production held. 
Skipped literals constitute a consequence clause. In Fig. 1, the node r{X) is 
skipped. Extension rule expands a node with a clause of an axiom set in the 
same ways as the resolution principle does. The node p{X) is extended with the 
clause q{X) V ~^p{X). The node ~^p{X) at the bottom is closed by Reduction 
because it has an ancestor p(X) which is uniflable with the complement of ^p{X). 
A tableau is said to be solved if all leaf nodes of the tableau are marked. Figure 1 
is a solved tableau, thus we can get a new consequence clause r{X) which consists 
of all skipped literals. 

3 SOLAR 

SOLAR is an efficient implementation of consequence finding procedure SOL, and 
has various sophisticated pruning methods shown in Tab. 1. “full” denotes that 
a pruning method is fully implemented, while “partial” means that a pruning 
method is partially implemented since its full checking requires high computa- 
tional cost. Merge with skipped literals and skip-regularity are native to SOL. 
Identical goal pruning and unit subsumption are specialization of regularity and 
TCS-freeness, respectively. Additionally, SOLAR uses a discrimination tree [15] 
for representing a set of clauses in order to enhance term indexing and retrieval. 

The input of SOLAR is a description of a consequence finding problem that is 
compatible with the TPTP [16] format. Example 2 can be described as follows: 
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Table 1. Implemented priming methods in SOLAR 



Pruning method 


Checking 


Merge with skipped literals [5] 


full 


Unit Axiom/Lemma matching [.5] 


full 


Identical reduction [5] 


full 


Folding-np [5] 


full 


Regularity [6] 


partial 


Tautology-freeness [6] 


partial 


Complement-freeness [6] 


partial 


Skip-regularity [6] 


partial 


TCS-freeness [6] 


partial 


Identical goal pruning 


full 


Unit subsumption [.5] 


partial 


Order preserving reduction [.5] 


full 


Local failure caching [5] 


full 



input_clause (clausel , top_clause, [p(X), s(X)]). 
input_clause (clause2 , axiom, [q(X) ,-p(X)] ) . 
input_clause (clauses, axiom, [-s(Y)]). 
input_clause(clause4, axiom, [-p(Z), -q(Z) , r(Z)]). 
production_field( [predicates (pos_all) , length < 2] ) . 

top_clause means that the clause is newly added. productionJield indi- 
cates the production field, and in this example, it allows to generate conse- 
quences that consist of less than 2 positive literals. If there is no top_clause 
and productionjfield, then the format is equivalent to TPTP’s one and 
SOLAR tries to find a refutation as a theorem prover. 

The output of SOLAR is the set of minimal-length consequences: 

7o ./solar example, sol 

real time : 100 msec (0.1 sec) 

3 consequences 

[p(_0)l 

[q(_0)] 

[r(_0)l 

SOLAR has many command-line options that enable/disable each pruning 
method, display several derived tableaux, and so on. 



4 Performance of SOLAR 

We show that merge, skip-regularity and local failure caching have a great ability 
for accelerating consequence finding computation. Table 2 shows the experimen- 
tal results that compare these methods. We use an axiom set of TPTP library as 
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Table 2. Performance of consequence finding 



Problem 


params 




none 


merge 


skip-reg 


local fail 


all 


PUZOOl-O.ax 


dep < 8 
len < 3 


time [sec] 
infs 
cones 


21.61 

7,964,928 

50 


8.43 

2,861,086 

50 


2.30 

514,089 

53 


11.47 

3,552,867 

50 


1.15 

94,660 

52 


HWV001-2.ax 


dep < 4 
len < 5 


time [sec] 
infs 
cones 


32.94 

74,110 

1122 


23.77 

57,374 

984 


20.56 

63,532 

961 


16.65 

48,804 

857 


10.05 

34,855 

716 


GEOOOl-O.ax 


dep < 4 
len < 1 


time [sec] 
infs 
cones 


33.99 

5,431,218 

34 


31.97 

4,910,903 

34 


32.96 

5,089,578 

34 


3.79 

417,915 

9 


3.94 

415,070 

9 


BOOOOl-O.ax 


dep < 11 
len < 1 
TD < 4 


time [sec] 
infs 
cones 


39.44 

3,765,128 

4 


39.14 

3,765,128 

4 


39.30 

3,765,128 

4 


39.50 

3,765,128 

4 


39.32 

3,765,128 

4 



Table 3. Performance of refutation finding 





5,181 problems 
possibly containing eqnality 


1,921 problems 
containing no equality 




Solved 


Failed 


Rate 


Solved 


Failed 


Rate 


SOLAR 


1644 


3537 


31.7% 


999 


922 


52.0% 


Otter3.2 


2047 


3134 


39.5% 


960 


961 


50.0% 



a consequence finding problem. SOLAR calculates minimal-length consequences 
derivable from the axiom set . “Problem” denotes an axiom set of TPTP library, 
“dep”, “len” and “TD” in the column “params” mean the maximum search- 
depth, the maximum length of consequences, and the maximum term-depth of 
each literal in consequences, respectively, “none” represents that SOLAR does not 
use these pruning methods at all, and oppositely “all” uses all of them, “merge” , 
“skip-reg” and “local fail” mean that SOLAR uses the corresponding pruning 
method without any other methods, “infs” is the total number of rules applied 
to tableaux, and “cones” is the number of the computed consequences. All exper- 
iments were conducted on a Pentiumd (2.53GHz) machine running JDK1.4.1_01 
on Turbolinux Workstation 8.0 with 1GB memory. 

Table 2 shows that all pruning methods reduce the search space and improve 
the speed. In particular, skip-regularity and local failure caching have great 
effects for PUZOOl-O.ax and GEOOOl-O.ax, respectively. The result of BOOOOl- 
O.ax indicates that, although there is no effect of pruning, there is almost no 
overhead of these methods. 
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SOLAR also achieves a good performance as a theorem prover. We compared 
with Otter 3.2 [17] for TPTP problem library v2.5.0 [16]^. We experimented 
on 5,181 problems. Table 3 shows the experimental results as a theorem prover. 
“Solved” is the number of the proved problems within 300 CPU seconds and 
“Failed” shows the number of problems that could not be proved . SOLAR is es- 
pecially superior to OTTER for 1,921 problems that do not contain the equality. 

5 Conclusion 

Consequence finding is an important technique for advanced reasoning such 
as nonmonotonic reasoning, abduction, multi-agent systems, bioinformatics. In 
such reasoning tasks, SOLAR is the first sophisticated implementation of first- 
order consequence finding calculus in the world, and can find out important con- 
sequences efficiently due to various state of the art pruning methods. SOLAR also 
achieves a good performance as a theorem prover. 

del Val [1] defines a variant of SOL resolution called SFK resolution for 
finding characteristic clauses based on ordered resolution. A propositional version 
of SFK resolution has recently been implemented using ZBDDs (Zero-suppressed 
Binary Decision Diagrams) [18]. It is reported that the ZBDD implementation 
can handle problems with more than 10^° propositional clauses. 
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Abstract. In this paper we present CondLean, a theorem prover 
for propositional conditional logics CK, CK+ID, CK+MP and 
CK+MP+ID. The theorem prover implements some recently introduced 
sequent calculi for these logics. CondLean is developed following the 
methodology of leanTAP and it is implemented in SICStus Prolog. It also 
comprises a graphical user interface implemented in JAVA. CondLean 
can be downloaded at the site www.di.unito.it/~olivetti/CONDLEAN/ 



1 Introduction 

Conditional logics have found interesting applications in several areas of com- 
puter science and artificial intelligence. We just mention: knowledge representa- 
tion, non-monotonic reasoning, deductive databases, belief revision and natural 
language semantics. In spite of their significance, very few proof systems have 
been proposed for these logics. 

In [I] labelled sequent calculi SeqS^ are introduced for minimal normal condi- 
tional logic CK and for three extensions of it, namely CK-|-ID, CK-|-MP and 
CK-I-MP-I-ID. 

In this work we describe an implementation of SeqS calculi in SICStus Prolog. 
The program, called CondLean, gives a decision procedure for these logics; as 
far as we know this is the first theorem prover for these logics. For each system, 
we introduce three different versions: 

1. a simple version, where Prolog constants are used to represent SeqS’s labels; 

2. a more efficient one, where labels are represented by Prolog variables, in- 
spired by the free- variable tableaux presented in [2]; 

3. a ” two-phase” theorem prover, which first attempts to prove a sequent by 
using an incomplete, but fast, proof procedure (phase 1), and then it calls 
the free-variable proof procedure (phase 2) in case of failure. 

CondLean also comprises a graphical interface implemented in Java, using 
the se . sics . jasper package to link the graphical user interface to the SICStus 
Prolog kernel. 

1 S stands for CK, ID, MP or ID-tMP. 



M. Cialdea Mayer and F. Pirri (Eds.): TABLEAUX 2003, LNAI 2796, pp. 264—270, 2003. 
(c) Springer- Verlag Berlin Heidelberg 2003 



CondLean: A Theorem Prover for Conditional Logics 



265 



2 Conditional Logics and Their Sequent Calculi 

We consider a propositional language £ over a set ATM of propositional vari- 
ables. Formulas of C are built from propositional variables by means of the 
boolean operators _L and the conditional operator =>. We adopt the so-called 
propositional selection function semantics [3]. A selection function model for C 
is a triple M. = (W, f, [ ]), where W is a non-empty set of items called worlds, f 
is a function of type / : W x 2^ — > 2^, called the selection function and [ ] 
is an evaluation function of type AT M — s- 2^ . [ ] assigns to an atom p the set 
of worlds where p is true. The evaluation function [ ] can be extended to every 
formula by means of the following inductive clauses: 1. [_L] = 0; 2. [A ^ B] = (W 
- [A]) U [B]-, 3. [A^ B] = {w €W \ f{w, [A]) C [B]}. We say that a formula A 
is valid in a model Ai as above if [A] = W. A formula A is valid (denoted by 
\= A) if it is valid in every model A4. 

The above one is the semantics of the basic conditional logic CK, where no spe- 
cific properties of the selection function / are assumed. Moreover, we consider 
the following extensions of CK: CK-|-ID, CK-|-MP and CK-|-MP-|-ID, ob- 
tained by postulating the semantic conditions (ID) and (MP) where (ID) is f{x, 
[A]) C [A] and (MP) is w G [A] — s- w G f{w, [A]). The two semantic conditions 
correspond respectively to the axiom schemata: 

A => A and (A => 5) — > (A ^ 5) 

In Figure 1 we present the calculi for CK and its mentioned extensions intro- 
duced in [1]; the calculi make use of labelled formulas, where the labels are drawn 
from a denumerable set A; there are two kinds of formulas: 1. labelled formulas, 
denoted by x: A, where a; G A and A G £; 2. transition formulas, denoted by x 
— > y, where x, y £ A and A G £. A transition formula x — > y represents that 
y G f ix, [A]). 



Definition (Sequent Validity). Given a model At = (W, f, [ ]) for £, and 
a label alphabet A, we consider any mapping I : A ^ W. Let F be a labelled 
formula, we define At F as follows: At a;: A ijf /(a;) G [A] and M \=i x 
-At y iff /(y) g /(/(a;), [A]). We say that F F A is valid in At if for every 
mapping I : A ^ W, if At F for every F € T, then At G for some 
G G A. We say that F h A is valid in a system (CK or one of its extensions) if 
it is valid in every At satisfying the specific conditions for that system (if any). 

Theorem 1 (Soundness and Completeness [1]). A sequent F h A is valid 
if and only if F F A is derivable in SeqS. 

As usual, in order to obtain a decision procedure we have to control the 
application of the contraction rules in a backward proof search of a sequent 
derivation. To this regard we have the following results: 

Theorem 2 ([..], [4]). If F F A is derivable using SeqCK (resp. SeqlD), it has 
a derivation where there are no applications of (Contr L) and (Contr R). 
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(AX) r,F\- A, F 

F,F,F\- A 

(ContrL) 

r,F\- A 

r, X : A \- X : B, A 

(^R) 

Fh X ■. A ^ B,A 



(A_L) r,x\ F\- A 

Fh A, F,F 

(ContrR) 

F\- A, F 

Fhx-.A.A F,x : Bh A 

H L) 

F,x ■. A ^ B A 



A U-. B 



B \- u \ A 



(EQ) 



I- U ® A 

1 , X >■ y X >■ y, A 



L) . 



r\- X 



y, A r,y : B \- A 



r,x : A ^ B\- A 



(ID) 



F,y ■. A A 
r, X y ^ A 



r, X y \- y : B, A 

R-) (y ^ F, A) 

Fh X : A ^ B,A 



(MP) 



F\- X : A,A 
r \- X X, A 



Fig. 1. Sequent calculi SeqS; the (ID) rule is for SeqlD and SeqlD+MP only; 
the (MP) rule is for SeqMP and SeqlD+MP only 



In contrast, we cannot eliminate contractions in SeqMP and SeqlD+MP; 
more precisely, in these calculi we might need to use (Contr L) on conditional 
formulas x: A B^. However, we can limit the application of left contraction 
on conditional formulas, as follows: 

Theorem 3 ([4]). If F h Z\ is derivable in SeqMP (resp. SeqlD+MP), then it 
has a derivation where there are no applications of (Contr R) and there is at 
most one application of (Contr L) with constituent x: A ^ B in each branch of 
the proof tree, for each conditional formula x: A ^ B. 

These results give a constructive proof of decidability of the respective systems, 
alternative to the semantic proof based on the finite model property. 

3 Design of CondLean 

In this section we present an implementation of the sequent calculi SeqS; it is a 
SICStus Prolog program inspired by leanTAP [5]. The program comprises a set 
of clauses, each one of them represents a sequent rule or axiom. The proof search 
is provided for free by the mere depth-first search mechanism of Prolog, without 
any additional ad hoc mechanism. 

We represent each component of a sequent (antecedent and consequent) by 
a list of formulas, partitioned into three sub-lists: atomic formulas, transitions 

^ For example, we need (Contr L) to prove x: T => ((B ^ (T =J> B)) — > _L) h in 
CK-tMP. 



CondLean: A Theorem Prover for Conditional Logics 



267 



and complex formulas. Atomic and complex formulas are represented by a list 

A 

like [x,a] , where x is a Prolog constant and a is a formula. A transition x — *■ 
y is represented by [x , a , y] . 

As we explained above, we present three different implementations. The first 
one, called constant labels, makes use of Prolog constants to represent SeqS’s 
labels. The sequent calculi are implemented by the predicate 

prove(Sigma, Delta, Labels). 

This predicate succeeds if and only if A h Z\ is derivable in SeqS, where Sigma 
and Delta are the lists representing the multisets S and Z\, respectively and 
Labels is the list of labels introduced in that branch. For example, to prove x: 
A => {B f\ CY x: A ^ B, x: C in CK, one queries CondLean with the goal: 

proveC [[],[], [[x, a=>(b and c)]]], [ [ [x, c] , [] , [ [x, a=>b] ] ] , [x] ) . 

Each clause of prove implements one axiom or rule of SeqS, except for contrac- 
tion^; for example, the clause implementing (=J> L) is: 

prove( [LitSigma,TransSigma,ComplexSigma] , [LitDelta,TransDelta, 
ComplexDelta] , Labels) 

selectC [X,A=>B] ,ComplexSigma,ResComplexSigma) , member (Y, Labels) , 
put([Y,B] ,LitSigma,ResComplexSigma,NewLitSigma,NewComplexSigma) , 
prove ( [LitSigma,TransSigma,ResComplexSigma] , 

[LitDelta, [ [X, A,Y] |TransDelta] , ComplexDelta] .Labels) , 
proveC [NewLitSigma.TransSigma.NewComplexSigma] , 

[LitDelta, TransDelta, ComplexDelta] .Labels) . 

The predicate select removes [X,A=>B] from ComplexSigma returning 
ResComplexSigmaas result. The predicate put is used to put [Y.B] in the proper 
sub-list of the antecedent. 

To search a derivation of a sequent A h Z\, CondLean proceeds as follows. First 
of all, if A h Z\ is an axiom, the goal will succeed immediately by using the 
clauses for the axioms. If it is not, then the first applicable rule will be chosen, 
e.g. if ComplexSigma contains a formula [X.A and B] , then the clause for (A 
L) rule will be used, invoking prove on the unique premise of (A L). CondLean 
proceeds in a similar way for the other rules. The ordering of the clauses is such 
that the application of the branching rules is postponed as much as possible. 
When the (=J> L) clause is used to prove A h Z\, a backtracking point is intro- 
duced by the choice of a label Y occurring in the two premises of the rule; in 
case of failure, Prolog’s backtracking tries every instance of the rule with every 
available label (if more than one). Choosing, sooner or later, the right label to 
apply (=J> L) may strongly affect the theorem prover’s efficiency: if there are n 

^ CondLean extends the sequent calculi to formulas containing also -i. A, V and T. 

In SeqMP and SeqlD+MP (ContrL) is ’’embedded” in {=> L), although in a con- 
trolled way in light of Theorem 3 (see above) . 
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labels to choose for an application of (=^ L) the computation might succeed only 
after n-1 backtracking steps, with a significant loss of efficiency. 

Our second implementation, called free- variables, makes use of Prolog vari- 
ables to represent all the labels that can be used in a single application of the 
(=i> L) rule. This version represents labels by integers starting from 1; by using 
integers we can easily express constraints on the range of the variable-labels. 
To this regard the library clpfd is used to manage free- variable domains. As 
an example, in order to prove E ^ 1: A ^ B \- A the theorem prover will call 
prove on the following premises: E ^ A, 1 — > V and V: B, E PA, where V 
is a Prolog variable. This variable will be then instantiated by Prolog’s pattern 
matching to apply either the (EQ) rule, or to close a branch with an axiom. Here 
below is the clause implementing the L) rule: 

prove ([LitSigma,TransSigma,ComplexSigma],[LitDelta, 
TransDelta,ComplexDelta] ,Max) : - 
select([X,A => B] ,ComplexSigma,ResComplexSigma) , 
domain ( [Y] , 1 ,Max) , Y#>X, 

put( [Y,B] ,LitSigma,ResComplexSigma,NewLitSigma,NewComplexSigma) , 
prove! [NewLitSigma,TransSigma,NewComplexSigma] , 
[LitDelta,TransDelta,ComplexDelta] ,Max) , 
prove! [LitSigma,TransSigma,ResComplexSigma] , 

[LitDelta, [[X,A,Y] |TransDelta] .ComplexDelta] ,Max) . 

The atom Y#>X adds the constraint Y>X to the constraint store: the constraints 
solver will verify the consistency of it during the computation. In SeqCK and 
SeqlD we can only use labels introduced after the label X, thus we introduce the 
previous constraint. In SeqMP and SeqID-|-MP we can also use X itself, thus we 
shall add the constraint Y#>=X. 

On a sequent with 65 labels on the antecedent this version succeeds in 460 msec- 
onds, whereas the constant labels version takes 4326 mseconds. 

We have also developed a third version, called heuristic version, that per- 
forms a ” two-phase” computation: in ’’Phase 1” an incomplete theorem prover 
searches a derivation exploring a reduced search spacer in case of failure, the free- 
variables version is called (’’Phase 2”). Intuitively, the reduction of the search 
space in Phase 1 is obtained by committing the choice of the label to instantiate 
a free variable, whereby blocking the backtracking. 

For SeqMP and SeqID-|-MP, the theorem prover can also apply (Contr L), 
although it needs to at most once on each formula x : A ^ B occurring in 
every derivation branch. To implement this limited use of (Contr L) we allow to 
duplicate once the conditional formulas to which (=4> L) is being applied. To this 
aim we introduce another argument CondContr to the prove predicate that now 
becomes: 

prove(Sigma, Delta, Labels, CondContr). 

The list CondContr stores the conditional formulas of the antecedent that have 
been duplicated so far. When (^ L) is applied to a formula x: A ^ B in the 
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antecedent, the formula is duplicated at the same time into the CondContr list; 
when (=J> L) is applied to a formula in CondContr, in contrast, the formula is 
no longer duplicated. Thus the (=i> L) rule is split in two rules, one taking care 
of ’’unused” conditionals of the antecedent, the other taking care of ’’used” (or 
duplicated) conditionals. 

4 The Program CondLean 

CondLean has also a graphical interface (GUI) implemented in Java. The GUI 
interacts with the SICStus Prolog implementation by means of the package 
se . sics . jasper. Thanks to the GUI, one does not need to know how to call 
the predicate prove. One just introduces a sequent in a text box and searches a 
derivation by clicking a button; moreover, one can choose the version of the the- 
orem prover (constant labels, free- variables, heuristic version) and the intended 
system of conditional logic. If the sequent that has been introduced is valid, the 
program offers these options: display a proof tree of the sequent in a special 
window, build a latex file containing the proof tree, and view some statistics of 
the proof. 



5 Statistics and Conclusions 

The performances of the three versions of the theorem prover are promising even 
on a small machine®. We have tested GondLean obtaining the following results: 
in less than 2 seconds, the constant labels version succeeds in 79 tests over 90, the 
free-variables one in 73 (but 67 in less than 10 mseconds), the heuristic version 
in 78 (70 in less than 500 mseconds). The test samples have been generated by 
modifying the samples from [2]. Gonsidering the sequent-degree (defined as the 
maximum level of nesting of the operator) as a parameter, the free-variables 
version succeeds in less than 1 second for sequents of degree 11 and in less than 
2 seconds for sequents of degree 15. 

In future research we intend to extend GondLean to other systems of condi- 
tional logics and to experiment standard refinements and heuristics to increase 
the efficiency of the theorem prover. 
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Sequent length 1(3 
: Sequent degree 2 
Proof tree nodes. 5 
iProoftree heigih. 4 
Labels used 2 
Applications of(ContrL) 0 
; Applications of (£Q) 0 
Appbcations of («>R) 1 
Appbcations of(->L); I 




Fig. 2. Some pictures of CondLean 
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